Cisco Acs 5x User Guide

							19-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  About Logging
Local Store Target
Log messages in the local store are text files that are sent to one log file, located at 
/opt/CSCOacs/logs/localStore/, regardless of which logging category they belong to. The local store can 
only contain log messages from the local ACS node; the local store cannot accept log messages from 
other ACS nodes.
You can configure which logs are sent to the local store, but you cannot configure which attributes are 
sent with the log messages; all attributes are sent with sent log messages.
Administrative and operational audit log messages are always sent to the local store, and you can also 
send them to remote syslog server and Monitoring and Reports server targets.
Log messages are sent to the local store with this syslog message format:
time stamp sequence_num msg_code msg_sev msg_class msg_text attr=value
Table 19-2 describes the content of the local store syslog message format.
Table 19-1 Log Message Severity Levels
ACS Severity 
Level DescriptionSyslog Severity 
Level
FATAL Emergency. ACS is not usable and you must take action 
immediately.1 (highest)
ERROR Critical or error conditions. 3
WARN Normal, but significant condition. 4
NOTICE Audit and accounting messages. Messages of severity NOTICE 
are always sent to the configured log targets and are not filtered, 
regardless of the specified severity threshold.5
INFO Diagnostic informational message. 6
DEBUG Diagnostic message. 7 
						

							19-6
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  About Logging
Table 19-2 Local Store and Syslog Message Format
Field Description
timestampDate of the message generation, according to the local clock of the 
originating ACS, in the format YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm. 
Possible values are:
YYYY = Numeric representation of the year.
MM = Numeric representation of the month. For single-digit months (1 
to 9) a zero precedes the number.
DD = Numeric representation of the day of the month. For single-digit 
days (1 to 9), a zero precedes the number.
hh = The hour of the day—00 to 23.
mm = The minute of the hour—00 to 59.
ss = The second of the minute—00 to 59.
xxx = The millisecond of the second—000 to 999.
+/-zz:zz = The time zone offset from the ACS server’s time zone, where 
zh is the number of offset hours and zm is the number of minutes of the 
offset hour, all of which is preceded by a minus or plus sign to indicate 
the direction of the offset. 
For example, +02:00 indicates that the message occurred at the time 
indicated by the time stamp, and on an ACS node that is two hours ahead 
of the ACS server’s time zone.
sequence_numGlobal counter of each message. If one message is sent to the local store and 
the next to the syslog server target, the counter increments by 2. Possible 
values are 0000000001 to 999999999.
msg_codeMessage code as defined in the logging categories.
msg_sevMessage severity level of a log message (see Ta b l e 1 9 - 1). 
msg_classMessage class, which identifies groups of messages with the same context.
text_msgEnglish language descriptive text message.
attr=valueSet of attribute-value pairs that provides details about the logged event. A 
comma (,) separates each pair.
Attribute names are as defined in the ACS dictionaries.
Values of the Response direction AttributesSet are bundled to one attribute 
called Response and are enclosed in curly brackets {}. In addition, the 
attribute-value pairs within the Response are separated by semicolons. For 
example:
Response={RadiusPacketType=AccessAccept; 
AuthenticationResult=UnknownUser; 
cisco-av-pair=sga:security-group-tag=0000-00; } 
						

							19-7
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  About Logging
You can use the web interface to configure the number of days to retain local store log files; however, 
the default setting is to purge data when it exceeds 5 MB or each day, whichever limit is first attained.
If you do configure more than one day to retain local store files and the data size of the combined files 
reaches 95000Mb, a FATAL message is sent to the system diagnostic log, and all logging to the local 
store is stopped until data is purged. Use the web interface to purge local store log files. Purging actions 
are logged to the current, active log file. See Deleting Local Log Data, page 18-23.
The current log file is named acsLocalStore.log. Older log files are named in the format 
acsLocalStore.log.YYYY-MM-DD-hh-mm-ss-xxx, where:
acsLocalStore.log = The prefix of a non-active local store log file, appended with the time stamp.
NoteThe time stamp is added when the file is first created, and should match the time stamp of the 
first log message in the file.
–YYYY = Numeric representation of the year.
–MM = Numeric representation of the month. For single-digit months (1 to 9), a zero precedes 
the number.
–DD = Numeric representation of the day of the month. For single-digit days (1 to 9), a zero 
precedes the number.
–hh = Hour of the day—00 to 23.
–mm = Minute of the hour—00 to 59.
–ss = Second of the minute—00 to 59.
–xxx = Millisecond of the second—000 to 999.
You can configure the local store to be a critical log target. See Viewing Log Messages, page 19-10 for 
more information on critical log targets.
You can send log messages to the local log target (local store) or to up to eight remote log targets (on a 
remote syslog server):
Select System Administration > Configuration > Log Configuration > Remote Log Targets to 
configure remote log targets. 
Select System Administration > Configuration > Log Configuration > Logging Categories to 
configure which log messages you want to send to which targets. 
Critical Log Target
The local store target can function as a critical log target—the primary, or mandatory, log target for a 
logging category. 
For example, administrative and operational audit messages are always logged to the local store, but you 
can also configure them to be logged to a remote syslog server or the Monitoring and Reports server log 
target. However, administrative and operational audit messages configured to be additionally logged to 
a remote log target are only logged to that remote log target if they are first logged successfully to the 
local log target.  
						

							19-8
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  About Logging
When you configure a critical log target, and a message is sent to that critical log target, the message is 
also sent to the configured noncritical log target on a best-effort basis.
When you configure a critical log target, and a message does not log to that critical log target, the 
message is also not sent to the configured noncritical log. 
When you do not configure a critical log target, a message is sent to a configured noncritical log 
target on a best-effort basis.
Select System Administration > Configuration > Log Configuration > Logging Categories > Global 
> log_category, where log_category, is a specific logging category to configure the critical log target for 
the logging categories.
NoteCritical logging is applicable for accounting and AAA audit (passed authentications) categories only. 
You cannot configure critical logging for the following categories: AAA diagnostics, system diagnostics, 
and system statistics.
Remote Syslog Server Target
You can use the web interface to configure logging category messages so that they are sent to remote 
syslog server targets. Log messages are sent to the remote syslog server targets in accordance with the 
syslog protocol standard (see RFC-3164). The syslog protocol is an unsecure UDP.
Log messages are sent to the remote syslog server with this syslog message header format, which 
precedes the local store syslog message format (see Table 19-2):
pri_num YYYY Mmm DD hh:mm:ss xx:xx:xx:xx/host_name cat_name msg_id total_seg seg_num
Table 19-3 describes the content of the remote syslog message header format. 
						

							19-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  About Logging
Table 19-3 Remote Syslog Message Header Format
Field Description
pri_numPriority value of the message; a combination of the facility value and the 
severity value of the message. Priority value = (facility value* 8) + severity 
value. The facility code valid options are:
LOCAL0 (Code = 16)
LOCAL1 (Code = 17)
LOCAL2 (Code = 18)
LOCAL3 (Code = 19)
LOCAL4 (Code = 20)
LOCAL5 (Code = 21)
LOCAL6 (Code = 22; default)
LOCAL7 (Code = 23)
Severity value—See Table 19-1 for severity values.
timeDate of the message generation, according to the local clock of the 
originating ACS, in the format YYYY Mmm DD hh:mm:ss. Possible values 
are:
YYYY = Numeric representation of the year.
Mmm = Representation of the month—Jan, F e b ,  M a r,  A p r,  M a y,  J u n ,  J u l ,  
Aug, Sep, Oct, Nov, Dec.
DD = Numeric representation of the day of the month. For single-digit 
days (1 to 9), a space precedes the number.
hh = The hour of the day—00 to 23.
mm = The minute of the hour—00 to 59.
ss = The second of the minute—00 to 59.
Some device send messages that specify a time zone in the format -/+hhmm, 
where - and + identifies the directional offset from the ACS server’s time 
zone, hh is the number of offset hours, and mm is the number of minutes of 
the offset hour. 
For example, +02:00 indicates that the message occurred at the time indicated 
by the time stamp, and on an ACS node that is two hours ahead of the ACS 
server’s time zone.
xx:xx:xx:xx/host_nameIP address of the originating ACS, or the hostname.
cat_nameLogging category name preceded by the 
CSCOacs string. 
msg_idUnique message ID; 1 to 4294967295. The message ID increases by 1 with 
each new message. Message IDs restart at 1 each time the application is 
restarted.
total_segTotal number of segments in a log message. Long messages are divided into 
more than one segment.
seg_numSegment sequence number within a message. Use this number to determine 
what segment of the message you are viewing. 
						

							19-10
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  About Logging
The syslog message data or payload is the same as the Local Store Message Format, which is described 
in Table 19-2.
The remote syslog server targets are identified by the facility code names LOCAL0 to LOCAL7 (LOCAL6 
is the default logging location.) Log messages that you assign to the remote syslog server are sent to the 
default location for Linux syslog (/var/log/messages), however; you can configure a different location 
on the server. 
The remote syslog server cannot function as a critical log target. See Critical Log Target, page 19-7 for 
more information on critical log targets.
Monitoring and Reports Server Target
You can use the web interface to configure logging category messages so that they are sent to the 
Monitoring and Reports server target. Log messages are sent to the Monitoring and Reports server target 
in accordance with the syslog protocol standard (see RFC-3164). The syslog protocol is an unsecure 
UDP protocol.
Log messages are sent to the Monitoring and Reports server with the syslog message header format 
described in Ta b l e 1 9 - 3, which precedes the local store syslog message format (see Table 19-2).
The Monitoring and Reports server cannot function as a critical log target. See Critical Log Target, 
page 19-7 for more information on critical log targets.
Viewing Log Messages
You can use the web interface and the CLI to view locally stored log messages. You cannot view log 
messages that are sent to remote syslog servers via the web interface or the CLI. 
In the web interface, choose Monitoring and Reports > Launch Monitoring & Report Viewer to open 
the Monitoring and Reports Viewer in a secondary window (see Figure 19-1). See Command Line 
Interface Reference Guide for Cisco Secure Access Control System 5.3 for more information about 
viewing log messages via the CLI.
Figure 19-1 Monitoring and Reports Viewer 
						

							19-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  About Logging
The Monitoring & Report Viewer has two drawer options:
Monitoring and Reports—Use this drawer to view and configure alarms, view log reports, and 
perform troubleshooting tasks.
Monitoring Configuration—Use this drawer to view and configure logging operations and system 
settings.
In addition to the information that is captured in the log messages described in Logging Categories, 
page 19-2, the Viewer reports list successful and failed AAA authentication attempts with Step 
attributes. Step attributes provide information about other events that occurred within the same session. 
This information allows you to see the sequence of steps that resulted in an authentication success or 
failure.
You can use the Viewer to: 
Manage alarms, reports, and troubleshooting information.
Manage system operations, including purging data, collecting logs, scheduling jobs, and monitoring 
status
Manage system configuration, including editing failure reasons, and configuring e-mail, session 
directory, and alarm settings
See Monitoring and Reporting in ACS, page 11-1 for more information
Debug Logs
You can use the web interface and the CLI to send logs, including debug logs, to Cisco technical support 
personnel if you need troubleshooting assistance. In the web interface, choose Monitoring and Reports 
> Launch Monitoring & Report Viewer > Monitoring and Reports > Troubleshooting > ACS 
Support Bundle.
You can also use the CLI to view and export the hardware server in the Application Deployment 
Engine-OS 1.2 environment logs. These messages are sent to /var/log/boot.log only and are unrelated to 
the way in which the CLI views or exports ACS debug log messages. See the Command Line Interface 
Reference Guide for Cisco Secure Access Control System 5.3 for information. 
						

							19-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  ACS 4.x Versus ACS 5.3 Logging
ACS 4.x Versus ACS 5.3 Logging
If you are familiar with the logging functionality in ACS 4.x, ensure that you familiarize yourself with 
the logging functionality of ACS 5.3, which is considerably different. Ta b l e 1 9 - 4 describes the 
differences between the logging functionality of ACS 4.x and ACS 5.3.
Table 19-4 ACS 4.x vs. ACS 5.3 Logging Functionality
This logging function… is handled this way in ACS 4.x… and this way in ACS 5.3
Log Types
AAA-related logs contain information 
about the use of remote access services 
by users. 
Audit logs contain information about 
the ACS system and activities and, 
therefore, record system-related 
events. 
These logs are useful for 
troubleshooting or audits. CSV audit 
logs are always enabled, and you can 
enable or disable audit logs to other 
loggers. You cannot configure the audit 
log content.
Audit logs can display the actual 
changes administrators have made for 
each user. ACS audit logs list all the 
attributes that were changed for a given 
user. See Logging Categories, page 19-2.
Available Log Targets
CSV Logger 
Syslog Logger
ODBC Logger
Remote Logging See Remote Syslog Server Target, page 19-8 
and Local Store Target, page 19-5.
Log File Locations
CSV Logger: 
sysdrive
:\Program Files\CiscoSecu
re ACS v
x.x.
Local store target logs: 
/opt/CSCOacs/logs/localStore/.
Remote syslog server target logs: 
/var/log/messages.
Report Types
CSV
Dynamic Administration
EntitlementSee Monitoring and Reporting in ACS, 
page 11-1.
Error Codes and Message Text For ACS 4.2, CSAuth diagnostic logs 
display a description of client requests and 
responses. Previous versions of ACS used a 
numeric code for client requests and 
responses.All messages, see Viewing Log Messages, 
page 19-10. 
						

							19-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  ACS 4.x Versus ACS 5.3 Logging
Configuration Use the System Configuration > Logging 
page to define:
Loggers and individual logs
Critical loggers
Remote logging
CSV log file
Syslog log
ODBC logSee Configuring Logs, page 18-21 and the 
CLI Reference Guide for the Cisco Secure 
Access Control System 5.3.
Viewing and Downloading Log 
MessagesUse the Reports and Activity pages. See Viewing Log Messages, page 19-10.
Troubleshooting with Log 
MessagesService log files reside in the \Logs 
subdirectory of the applicable service 
directory.See Debug Logs, page 19-11.
Table 19-4 ACS 4.x vs. ACS 5.3 Logging Functionality (continued)
This logging function… is handled this way in ACS 4.x… and this way in ACS 5.3 
						

							19-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 19      Understanding Logging
  ACS 4.x Versus ACS 5.3 Logging