RSANetWitness Logs

Event Source Log Configuration Guide

Cisco Secure Access Control Server

LastModified:Wednesday,February01,2017

Event Source Product Information:

Vendor:Cisco
Event Source:AccessControlServer
Versions:
l SoftwareOnly-4.2
l Appliance-5.15.7

RSA Product Information:

Supported On:NetWitnessSuite10.0andlater
Event Source Log Parser:ciscosecureacs
Collection Method:Syslog
Event Source Class.Subclass:Security.AccessControl


 ToconfigureSyslogcollectionfortheCiscoACSyoumust:
I. ConfigureSyslogOutputonCiscoACSforyourversion:

l ConfigureCiscoACSversion4.2,or

l ConfigureCiscoACSversion5.1andlater

II. ConfigureRSANetWitnessSuiteforSyslogCollection

Configure Syslog Output on Cisco ACS

Set Up Cisco ACS 4.2

To set up Cisco ACS 4.2 for Syslog collection:

1. ClickInterface Configuration>Advanced Options.

2. Selectalloftheoptions,andclickSubmit.

3. ClickSystem Configuration>Logging.

4. IntheSyslogcolumn,clicktheConfigurelinkofanentrylistedthatyouwantto
configure.

5. UnderEnable Logging,selectLOG to Syslogreport.

6. Selectonlythefollowingcolumnsinthefollowingorder:
l Failed Attempts
Message-Type,User-Name,Group-Name,Caller-ID,Called-Station-Id,Authen-
Failure-Code,Author-Failure-Code,Author-Data,NAS-IP-Address,NAS-Port,
NetworkDeviceGroup,System-Posture-Token,Application-Posture-Token,AAA
Server,AccessDevice,NetworkAccessProfileName,Priv-lvl

l Passed Authentications
Message-Type,User-Name,Group-Name,Caller-ID,Called-Station-Id,NAS-IP-
Address,NAS-Port,NetworkDeviceGroup,System-Posture-Token,Application-
Posture-Token,AAAServer,AccessDevice,NetworkAccssProfileName,Real
Name,Description,Priv-lvl

l RADIUS Accounting
User-Name,Group-Name,Calling-Station-Id,Called-Station-Id,NAS-IP-
Address,NAS-Port,Acct-Status-Type,Acct-Session-Id,Acct-Session-Time,
Service-Type,Framed-IP-Address,Framed-Protocol,Login-IP-Host,Acct-

Configure Syslog Output on Cisco ACS 2

 Event Source Log Configuration Guide

Authentic,AAAServer,ExtDBInfo,AccessDevice,Acct-Terminate-Cause,
Acct-Input-Octets,Acct-Output-Octets

l TACACS+ Accounting
User-Name,Group-Name,Caller-Id,Acct-Flags,priv-lvl,elapsed_time,service,
bytes_in,bytes_out,NAS-IP-Address,NAS-Portname,cmd

l TACACS+ Administration
User-Name,Group-Name,Caller-Id,Acct-Flags,priv-lvl,cmd,service,NAS-IP-
Address,NAS-Portname,reason

l Backup and Restore

Nofieldsavailable

l Database Replication
Nofieldsavailable

l Administration Audit
Nofieldsavailable

l ACS Service Monitoring

Nofieldsavailable

7. UnderSyslog Servers,completethefieldsasfollows:
l IntheIP Addressfield,entertheIPaddressoftheRSANetWitnessSuite.

l InthePortfield,type514.

l IntheMax Message Lengthfield,type1024.

8. ClickSubmit.

9. Repeatsteps4through8foreachoftherequiredlogs.

10. Completethefollowingstepssothatthelogfilesarecreatedwithatimestampthatthe
RSANetWitnessSuitecancorrectlyinterpret:

a. SelectSystem Configuration>Date Format Control.

b. SelecttheUse 'Month/Day/Year' format.

c. SelectSubmit & Restart.

3 Set Up Cisco ACS4.2

 Event Source Log Configuration Guide

Set Up Cisco ACS Appliance 5.1 and Later

To set up Cisco ACS Appliance syslog collection:

1. LogontotheCiscoSecureACSonlineUserInterfacewithadministrator
credentials.

2. ToconfigureRSANetWitnessSuiteasalogtarget,followthesesteps:
a. ClickSystem Administration > Log Configuration > Remote Log Targets.

Note: Inversion5.5,clickSystem Administration>Configuration>Log

Configuration>Remote Log Targets.

b. ClickCreate.

c. IntheNamefield,enterthenameofyourRSANetWitnessSuite.

d. IntheIP Addressfield,entertheIPaddressofyourRSANetWitnessSuite.

e. ClickSubmit.

3. ToconfigurewhichlogstosendtoRSANetWitnessSuite,followthesesteps:
a. ClickSystem Administration > Log Configuration > Logging Categories >
Global.

b. Selectaloggingcategoryforwhichyouwanttoreceivelogs.
i. ClicktheRemote Syslog Targettab.

ii. IntheAvailable Targetsfield,clickthetargetthatyoucreatedinstep2.

iii. Clickthe"greaterthan"button(>).

iv. ClickSubmit.

c. Repeatstep3bforeachloggingcategoryforwhichyouwanttoreceivelogs.

Note: Forversion5.5andhigher,theMaximumlengthcannowbechangedand
thevalidoptionsarefrom200to8192.Thedefaultvalueis1024.RSA
recommendsavalueof2048.

Set Up Cisco ACS Appliance 5.1 and Later 4

 Event Source Log Configuration Guide

Configure RSA NetWitness Suite

PerformthefollowingstepsinRSANetWitnessSuite:
l Ensuretherequiredparserisenabled

l ConfigureSyslogCollection

Ensure the Required Parser is Enabled

Ifyoudonotseeyourparserinthelistwhileperformingthisprocedure,youneedto
downloaditinRSANetWitnessSuiteLive.

Ensure that the parser for your event source is enabled:

1. IntheNetWitnessmenu,selectAdministration>Services.

2. IntheServicesgrid,selectaLogDecoder,andfromtheActionsmenu,chooseView
>Config.

3. IntheServiceParsersConfigurationpanel,searchforyoureventsource,andensure
thattheConfig Valuefieldforyoureventsourceisselected.

Note: Therequiredparserisciscosecureacs.

Configure RSA NetWitness Suite for Syslog Collection

Note: YouonlyneedtoconfigureSyslogcollectionthefirsttimethatyousetupanevent
sourcethatusesSyslogtosenditsoutputtoNetWitness.

YoushouldconfigureeithertheLogDecoderortheRemoteLogCollectorforSyslog.You
donotneedtoconfigureboth.

To configure the Log Decoder for Syslog collection:

1. IntheNetWitnessmenu,selectAdministration>Services.

2. IntheServicesgrid,selectaLogDecoder,andfromtheActionsmenu,chooseView
>System.

3. Dependingontheiconyousee,dooneofthefollowing:

5 Configure RSANetWitness Suite

 Event Source Log Configuration Guide

l Ifyousee ,clicktheicontostartcapturingSyslog.

l Ifyousee ,youdonotneedtodoanything;thisLogDecoderis
alreadycapturingSyslog.

To configure the Remote Log Collector for Syslog collection:

1. IntheNetWitnessmenu,selectAdministration>Services.

2. IntheServicesgrid,selectaRemoteLogCollector,andfromtheActionsmenu,
chooseView>Config>Event Sources.

3. SelectSyslog/Configfromthedrop-downmenu.
TheEventCategoriespaneldisplaystheSyslogeventsourcesthatareconfigured,if
any.

4. IntheEventCategoriespaneltoolbar,click+.
TheAvailableEventSourceTypesdialogisdisplayed.

5. Selecteithersyslog-tcporsyslog-udp.Youcansetupeitherorboth,dependingon
theneedsofyourorganization.

6. SelectthenewtypeintheEventCategoriespanelandc lick+intheSourcespanel
toolbar.
TheAddSourcedialogisdisplayed.

7. Enter514fortheport,andselectEnabled.Optionally,configureanyofthe
Advancedparametersasnecessary.
ClickOKtoacceptyourchangesandclosethedialogbox.
Onceyouconfigureoneorbothsyslogtypes,theLogDecoderorRemoteLogCollector
collectsthosetypesofmessagesfromallavailableeventsources.So,youcancontinue
toaddSyslogeventsourcestoyoursystemwithoutneedingtodoanyfurther
configurationinNetWitness.

Configure RSA NetWitness Suite for Syslog Collection 6

 Event Source Log Configuration Guide

Copyright2017EMCCorporation.AllRightsReserved.

Trademarks
RSA,theRSALogoandEMCareeitherregisteredtrademarksortrademarksofEMCCorporation
intheUnitedStatesand/orothercountries.Allothertrademarksusedhereinarethepropertyof
theirrespectiveowners.

7 Configure RSA NetWitness Suite for Syslog Collection