Cisco Acs 57 User Guide

							31   
Managing System Administration Configurations
Configuring Local and Remote Log Storage
Related Topic
Configuring Per-Instance Logging Categories, page 32
Viewing ADE-OS Logs, page 31
Viewing ADE-OS Logs
The logs listed in Table 24 on page 29 are written to the ADE-OS logs. From the ACS CLI, you can use the following 
command to view the ADE-OS logs:
show logging system ade/ADE.log
This command lists all the ADE-OS logs and your output would be similar to the following example.
Sep 29 23:24:15 cd-acs5-13-179 sshd(pam_unix)[20013]: 1 more authentication failure; logname= uid=0 
euid=0 tty=ssh ruser= rhost=10.77.137.95 
user=admin
Sep 29 23:24:34 cd-acs5-13-179 sshd(pam_unix)[20017]: authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 29 23:24:36 cd-acs5-13-179 sshd[20017]: Failed password for admin from 10.77.137.95 port 3635 ssh2
Sep 30 00:47:44 cd-acs5-13-179 sshd(pam_unix)[20946]: authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 30 00:47:46 cd-acs5-13-179 sshd[20946]: Failed password for admin from 10.77.137.95 port 3953 ssh2
Sep 30 00:54:59 cd-acs5-13-179 sshd(pam_unix)[21028]: authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 30 00:55:01 cd-acs5-13-179 sshd[21028]: Failed password for admin from 10.77.137.95 port 3962 ssh2
Sep 30 00:55:35 cd-acs5-13-179 last message repeated 5 times
Sep 30 00:55:39 cd-acs5-13-179 sshd[21028]: Accepted password for admin from 10.77.137.95 port 3962 
ssh2
Sep 30 00:55:39 cd-acs5-13-179 sshd(pam_unix)[21038]: session opened for user admin by (uid=0)
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[118] [admin]: Invoked 
carsGetConsoleConfig 
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[135] [admin]: No Config 
file, returning defaults 
Sep 30 01:22:20 cd-acs5-13-179 sshd[21038]: Received disconnect from 10.77.137.95: 11: Connection 
discarded by broker
Sep 30 01:22:20 cd-acs5-13-179 sshd(pam_unix)[21038]: session closed for user admin
Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
Sep 30 02:48:54 cd-acs5-13-179 sshd[22500]: Accepted password for admin from 10.77.137.58 port 4527 
ssh2
Sep 30 02:48:54 cd-acs5-13-179 sshd(pam_unix)[22504]: session opened for user admin by (uid=0)
Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
You can view the logs grouped by the module that they belong to. For example, the monitoring and troubleshooting logs 
contain the string MSGCAT and the debug logs contain the string debug.
From the ACS CLI, you can enter the following two commands to view the monitoring and troubleshooting logs and the 
administrative logs respectively:
show logging system | include MSGCAT
show logging system | include debug
The output of the show logging system | include MSGCAT would be similar to: 
						

							32
Managing System Administration Configurations
 
Configuring Local and Remote Log Storage
Sep 27 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 28 13:00:03 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 29 06:28:17 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 8363
Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped
Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS
Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729
Sep 29 09:52:46 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped
Sep 29 09:53:29 cd-acs5-13-103 MSGCAT58004/admin: ACS Starting
Sep 29 10:37:45 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - 
interface migration enable
Sep 29 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 29 13:56:36 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - 
interface migration disable
Sep 29 13:57:02 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - 
interface migration disable
Sep 29 13:57:25 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - 
interface migration enable
Sep 30 10:57:10 cd-acs5-13-103 MSGCAT58010/admin: info:[ACS backup] ACS backup completed
For more information on the show logging command, refer to CLI Reference Guide for Cisco Secure Access Control 
System 5.7.
Configuring Per-Instance Logging Categories
You can define a custom logging category configuration for specific, overridden ACS instances, or return all instances to 
the default global logging category configuration.
To view and configure per-instance logging categories:
1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance.
The Per-Instance page appears; from here, you can view the individual ACS instances of your deployment.
2.Click the radio button associated with the name of the ACS instance you want to configure, and choose one of these 
options:
Click Override to override the current logging category configuration for selected ACS instances.
Click Configure to display the Logging Categories page associated with the ACS instance. You can then edit the 
logging categories for the ACS instance. See Displaying Logging Categories, page 34 for field descriptions.
Click Restore to Global to restore selected ACS instances to the default global logging category configuration.
Your configuration is saved and the Per-Instance page is refreshed.
Related Topic
Configuring Per-Instance Security and Log Settings, page 32
Configuring Per-Instance Security and Log Settings
You can configure the severity level and local log settings in a logging category configuration for a specific overridden or 
custom ACS instance. Use this page to:
View a tree of configured logging categories for a specific ACS instance.
Open a page to configure a logging category’s severity level, log target, and logged attributes for a specific ACS 
instance.
1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then 
click Configure. 
						

							33   
Managing System Administration Configurations
Configuring Local and Remote Log Storage
The Per-Instance: Configuration page appears as described in Table 25 on page 33:
2.Do one of the following:
Click the name of the logging category you want to configure.
Select the radio button associated with the name of the logging category you want to configure, and click Edit.
The Per-Instance: General page appears.
From here, you can configure the security level and local log settings in a logging category configuration for a specific 
ACS instance. See Table 26 on page 33:
Table 25 Per-Instance: Configuration Page
Option Description
Name Expandable tree structure of AAA service logging categories.
Edit Click to display a selected Logging Categories > Edit: “lc_name” page, where lc_name is the name of 
the logging category.
Table 26 Per-Instance: General Page
Option Description
Configure Log Category
Log Severity Use the list box to select the severity level for diagnostic logging categories. (For audit and 
accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid 
options are:
FATAL—Emergency. The ACS is not usable and you must take action immediately.
ERROR—Critical or error condition.
WARN—Normal, but significant condition. (Default)
INFO—Informational message.
DEBUG—Diagnostic bug message.
Configure Local Setting for Category
Log to Local Target Check to enable logging to the local target. 
For administrative and operational audit logging category types, logging to local target is 
enabled by default and cannot be disabled.
Local Target is 
CriticalUsable for accounting and for passed authentication logging category types only. Check the 
check box to make this local target the critical target.
For administrative and operational audit logging category types, the check box is checked by 
default and cannot be unchecked; the local target is the critical target.
Configure Logged Attributes
—Display only. All attributes are logged to the local target. 
						

							34
Managing System Administration Configurations
 
Configuring Local and Remote Log Storage
Configuring Per-Instance Remote Syslog Targets 
Use this page to configure remote syslog targets for logging categories.
1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then 
click Configure.
The Per-Instance: Configuration page appears as described in Table 25 on page 33.
2.Do one of the following actions:
Click the name of the logging category you want to configure.
Select the radio button associated with the name of the logging category you want to configure, and click Edit.
3.Click the Remote Syslog Target tab. 
The Per-Instance: Remote Syslog Targets page appears as described in Table 27 on page 34:
Displaying Logging Categories
You can view a tree of configured logging categories for a specific ACS instance. In addition, you can configure a logging 
category’s severity level, log target, and logged attributes for a specific ACS instance.
1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then 
click Configure.
2.Complete the fields as described in Table 28 on page 34:
Configuring the Log Collector
Use the Log Collector page to select a log data collector and suspend or resume log data transmission.
1.Select System Administration > Configuration > Log Configuration > Log Collector.
The Log Collector page appears.
Table 27 Per-Instance: Remote Syslog Targets Page
Option Description
Configure Syslog Targets
Available  targets List of available targets. You can select a target from this list and move it to the Selected Targets 
list.
Selected  targets List of selected targets. You can select a target from this list and move it to the Available Targets 
list to remove it from your configuration.
Table 28 Per-Instance: Configuration Page
Option Description
Name Expandable tree structure of AAA services logging categories.
Edit Click to display a selected Logging Categories > Edit: “lc_name” page, where lc_name is the name of the 
logging category. 
						

							35   
Managing System Administration Configurations
Configuring Local and Remote Log Storage
2.Complete the Log Collector fields as described in Table 29 on page 35:
3.Do one of the following:
Click Suspend to suspend the log data transmission to the configured log collector.
Click Resume to resume the log data transmission to the configured log collector.
Your configuration is saved and the Log Collector page is refreshed.
Viewing the Log Message Catalog
Use the Log Message Catalog page to view all possible log messages.
Choose System Administration > Configuration > Log Configuration > Log Message Catalog.
The Log Message Catalog page appears, with the fields described in Table 30 on page 35, from which you can view all 
possible log messages that can appear in your log files.
Exporting Messages from the Log Message Catalog
ACS 5.7 provides the option to download syslog messages with message codes and description in the form of a CSV 
file. When you export the syslog messages, the filtering option does not work. ACS exports all syslog messages that are 
available in the Log Message Catalog page. The progress bar is not displayed during the export operation. If the export 
operation fails, ACS does not prompt to save the .csv file or the file can be empty. 
Use the Log Message Catalog page to export log messages.
1.Choose System Administration > Configuration > Log Configuration > Log Message Catalog.
Table 29 Log Collector Page
Option Description
Log Data Collector
Current Log 
CollectorDisplay only. Identifies the machine on which the local log messages are sent.
Select Log 
CollectorUse the drop-down list box to select the machine on which you want local log messages sent.
Set Log Collector Click to configure the log collector according to the selection you make in the Select Log 
Collector option.
Table 30  Log Messages Page
Option Description
Message CodeDisplay only. A unique message code identification number associated with a message.
SeverityDisplay only. The severity level associated with a message. 
CategoryDisplay only. The logging category to which a message belongs.
Message ClassDisplay only. The group to which a message belongs.
Message TextDisplay only. English language message text (name of the message).
Description Display only. English language text that describes the associated message. 
						

							36
Managing System Administration Configurations
 
Licensing Overview
The Log Message Catalog page appears, with the fields described in Table 30 on page 35, from which you can view 
all possible log messages that can appear in your log files.
2.Click Export.
ACS exports all syslog messages that are available in the Log Message Catalog page as a .csv file. 
3.Specify a location and click Save. 
The .csv file is saved in the specified location. 
Licensing Overview
To operate ACS, you must install a valid license. ACS prompts you to install a valid base license when you first access 
the web interface. Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license. 
Note: Each server requires a unique base license in a distributed deployment. 
						

							37   
Managing System Administration Configurations
Licensing Overview
Types of Licenses
Table 31 on page 37 shows the ACS 5.7 license support:
Related Topics
Licensing Overview, page 36
Installing a License File, page 38
Viewing and Upgrading the Base Server License, page 38
Adding Deployment License Files, page 41
Deleting Deployment License Files, page 42
Table 31 ACS License Support
License Description
Base License Required for all software instances deployed, as well as for all appliances. The base license 
enables you to use all the ACS functionality except license controlled features, and it enables all 
reporting features. Base license is:
Required for each ACS instance, primary and secondary.
Required for all appliances.
Supports deployments with up to 500 network devices (AAA clients).
Base licenses are of two types:
Permanent—Supports up to 500 network devices (AAA clients). 
Eval—Supports up to 50 network devices and expires in 90 days.
The number of devices is determined by the number of unique IP addresses that you configure. 
This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 
implies 256 unique IP addresses and hence the number of devices is 256.
If your evaluation license expires or is about to expire, you cannot use another evaluation license 
or extend your current license. Before your evaluation license expires, you must upgrade to a 
Permanent license.
Add-on Licenses Supports an unlimited number of managed devices. Requires an existing ACS permanent base 
license. There are also evaluation-type licenses for add-on licenses.
The Security Group Access feature licenses are of three types: Permanent, Eval, and NFR. 
However, the permanent Security Group Access feature license can be used only with a 
permanent base license.
Also, the large deployment license can only be used only with a permanent base license.
Evaluation License 
(standard)Enables standard centralized reporting features.
Cannot be reused on the same platform.
You can only install one evaluation license per platform. You cannot install additional 
evaluation licenses.
Supports 50 managed devices.
Expires 90 days from the time the license is installed. 
						

							38
Managing System Administration Configurations
 
Installing a License File
Installing a License File
You can obtain a valid license file using the Product Activation Key (PAK) supplied with the product. To install a license file:
1.Log into the ACS web interface.
The Initial Licenses page appears when you log in to the ACS machine for the first time.
2.Click Cisco Secure ACS License Registration. 
This link directs you to Cisco.com to purchase a valid license file from a Cisco representative.
3.Click Install to install the license file that you purchased.
The ACS web interface log in page reappears. You can now work with the ACS application.
Related Topics
Licensing Overview, page 36
Viewing and Upgrading the Base Server License, page 38
Adding Deployment License Files, page 41
Deleting Deployment License Files, page 42
Viewing and Upgrading the Base Server License
ACS 5.7 allows you to upgrade or modify a base license without performing the reset config operation. To view and 
upgrade the base license:
1.Select System Administration > Configuration > Licensing > Base Server License.
The Base Server License page appears with a description of the ACS deployment configuration and a list of the 
available deployment licenses. See Types of Licenses, page 37 for a list of deployment licenses. 
Table 32 on page 38 describes the fields in the Base Server License page.
Table 32 Base Server License Page 
Option Description
ACS Deployment Configuration
Primary ACS Instance Name of the primary instance created when you logged into the ACS 5.7 web interface.
Number of Instances Current number of ACS instances (primary or secondary) in the ACS database.
Current Number of 
Configured IP Addresses 
in Network DevicesTotal number of IP addresses in all the subnetworks that you have configured as part of network 
device configuration.
The number of devices is determined by the number of unique IP addresses that you configure. 
This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 
implies 256 unique IP addresses and hence the number of devices is 256. 
						

							39   
Managing System Administration Configurations
Installing a License File
2.Select the radio button the instance whose license you want to upgrade and click Upgrade/Modify.
The Base Server License Edit page appears.
The administrator can upgrade or modify a base license from ACS 5.7 web interface without resetting the 
configuration. 
3.Complete the fields as described in Table 33 on page 39:
4.Click Submit. Maximum Number of IP 
Addresses in Network 
DevicesMaximum number of IP addresses that your license supports:
Base License—Supports 500 IP addresses.
The number of devices is determined by the number of unique IP addresses that you configure. 
This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 
implies 256 unique IP addresses and hence the number of devices is 256.
Large Deployment—Supports an unlimited number of IP addresses.
Use this link to obtain a 
valid License FileDirects you to Cisco.com to generate a valid license file using the Product Activation Key (PAK) 
Base License Configuration
ACS Instance Name of the ACS instance, either primary or secondary.
Identifier Name of the base license.
License Type Specifies the base license type (permanent, evaluation).
Expiration Specifies the expiration date for evaluation licenses. For permanent licenses, the expiration field 
indicates permanent.
Licensed to Name of the company that this product is licensed to.
PAK Name of the Product Activation Key (PAK) received from Cisco.
Version Current version of the ACS software.
Table 32 Base Server License Page   (continued)
Option Description
Table 33 Base Server License Edit Page 
Option Description
ACS Instance License Configuration
Version Displays the current version of the ACS software.
ACS Instance Displays the name of the ACS instance, either primary or secondary.
License Type Specifies the license type.
Use this link to obtain a 
valid License FileDirects you to Cisco.com to purchase a valid license file from a Cisco representative.
License Location
License File Click Browse to navigate to the directory that contains the license file and select it. 
						

							40
Managing System Administration Configurations
 
Viewing License Feature Options
Related Topics
Licensing Overview, page 36
Types of Licenses, page 37
Installing a License File, page 38
Adding Deployment License Files, page 41
Deleting Deployment License Files, page 42
Viewing License Feature Options 
You can add, upgrade, or delete existing deployment licenses. The configuration pane at the top of the page shows the 
deployment information.
Select System Administration > Configuration > Licensing > Feature Options. 
The Feature Options Page appears as described in Table 34 on page 40:
Table 34 Feature Options Page 
Option Description
ACS Deployment Configuration
Primary ACS Instance Name of the primary instance created when you login into the ACS 5.7 web interface.
Number of Instances Current number of ACS instances (primary or secondary) in the ACS database.
Current Number of 
Configured IP Addresses 
in Network DevicesTotal number of IP addresses in all the subnetworks that you have configured as part of network 
device configuration.
The number of devices is determined by the number of unique IP addresses that you configure. 
This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 
implies 256 unique IP addresses and hence the number of devices is 256.
Maximum Number of IP 
Addresses in Network 
DevicesMaximum number of IP addresses that your license supports:
Base License—Supports 500 IP addresses.
The number of devices is determined by the number of unique IP addresses that you 
configure. This includes the subnet masks that you configure. For example, a subnet mask of 
255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.
Large Deployment—Supports an unlimited number of IP addresses.
Use this link to obtain a 
valid License FileDirects you to Cisco.com to purchase a valid license file from a Cisco representative.
Installed Deployment License Options
FeatureLarge Deployment—Supports an unlimited number of managed devices.
Security Group Access Control—Enables Cisco Trusted Server (SGA) management 
functionality. This requires an existing ACS base license.
Licensed to Name of the company that this product is licensed to.
License Type Specifies the license type (permanent, evaluation).