Cisco AAA/Identity/Nac :: ACS 4.2.1.15.4 Logging To Syslog Server - Time Off 5 Hours
Dec 12, 2011
I am sending TACACS administration logging to a syslog server. When the messages show up on the syslog server, they are 5 hours ahead of the actual time. Time on the ACS is correct - local logging shows the correct time. Time on the syslog server is correct...all other devices/systems sending syslog messages to it are coming through with the correct time. why the ACS syslog messages would be 5 hours ahead?
View 3 Replies
ADVERTISEMENT
Dec 25, 2012
How to set up logging of commands on syslog server ? (cisco nexus 7010)
View 2 Replies
View Related
Aug 29, 2011
On the CLI, we have ACS showing:
clock timezone Etc/GMT-6
!
ntp server 10.10.10.1
A show clock shows the correct local time. When in the GUI of ACS the clock reads
Tue Aug 30, 2011 21:13:58 GMT+06:00
View 1 Replies
View Related
Feb 5, 2012
I'm looking to configure a syslog server for all of my cisco device logging. I've had a look at CNA and can't find any options to define a syslog server for my switches.
What's the best way to define a syslog server and the severity of the notifications? Also, i'm looking to clear all previous Syste mmessages fon my devices?
View 6 Replies
View Related
May 5, 2013
I'm trying to view the logs from a Cisco 857W router to a workstation running the Kiwi Syslog server. what I've done is the following:
Config term
Logging on
Logging source-interface BVI1
Logging Facility Local7 (or any other facility you want to allocate for this router.)
Logging [IP Address or Hostname of machine running Kiwi Syslog Server]
End
I see noting on the syslog server. Although I can see the log information on the router Also is there a command to stop the logging from generating or is this on by default.
View 1 Replies
View Related
Dec 4, 2011
It appears that there are two different types of log information generated by the WLC-5508. The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap. Does this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?
View 4 Replies
View Related
Jun 17, 2011
I am trying to log every connection (Build, deny, etc).But for some reason I don't see them sh log.
[Code]...
View 2 Replies
View Related
Jan 15, 2012
Recently i have upgraded the IOS of ASA5550 (in HA mode) to 8.4.2 from 8.0.5, after OS upgrade we found that the syslog from thses firewalls are not getting captured/transfered to centralised syslog server. The server is reachable from the firewalls.
View 3 Replies
View Related
Mar 14, 2012
I found a new bug in cisco IOS 15.1(4)M3 when running EEM script with syslog event detector.If system logging performed using the "logging discriminator" and run concurrently EEM script with syslog event detector, then Cisco router crash and goes to reboot.
Cisco ISR G2 3925E.
View 4 Replies
View Related
Jul 5, 2012
We have a firewall service environment where logging is handled with UDP at the moment. Recently we have noticed that some messages get lost on the way to the server (Since the server doesn't seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP. You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command being able to stop all traffic on a firewall.
The TCP syslog connection failing was caused by a mismatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message: "%ASA-3-201008: Disallowing new connections."
Here start my questions:
- New connections are supposed to be blocked when the the TCP Syslog server are not reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
- I configured the "logging permit-host down" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem. Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-host down" command didn't wor or changing back to UDP.
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didn't have ANY logging configurations on. Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isn't corrected by any of the above measures we took (like the command "logging permit-host down" which is supposed to avoid this situation altogether).
View 4 Replies
View Related
Sep 21, 2012
logging buffered 4096 warnings The above causes router to log all the events with severity level 4 or below in buffer.What about logging console warnings command?will the above command cause router to send log messages with severity level 4( warnings severity level) to console only or will the router send all the log messages with severity level 4 or below to console ?
View 3 Replies
View Related
Mar 11, 2011
My internet (wired and wireless) usually works fine, but occasionally (read: every few days to weeks) the connection will suddenly black out for a period of time, anywhere from an hour to a day. I have tried resetting both my router and modem, and going through all the settings on my laptop, but I'm pretty sure it's not my computer, as no other devices can connect either. During the blackouts, when I look at the modem, the internet light will turn on for a second, then go off and then the red "alarm" light (aka "something is wrong" light) starts blinking like crazy, and this keeps repeating. This resolves itself after anywhere from a few hours to a whole day and everything is normal again. The light show, and the fact that I can't find any other problems, leads me to believe that it could be a problem with my provider (or the network itself) and not a hardware or software problem, but I can't be sure of this.Also, during the blackouts, I can connect to the network, but it shows that limited connectivity symbol (exclamation mark thing) and says no internet.
View 5 Replies
View Related
Apr 1, 2012
I'm new to an ASA 5510 running 8.4(3) and am trying to figure out something regarding time ranges in ASDM. I simply want to allow a single port during business hours only (I'm not concerned about open sessions needing to be closed). So as an example I add a rule something like:
(RULE1 on the internal interface) SRC=INTERNAL DEST=ANY SERVICE=RDP ACTION=PERMIT with a time range set for weekdays 8:00-16:59. I did a test after 5pm on a weekday and was still allowed to do RDP to a server (from INTERNAL), and after using the packet trace tool saw it was still passing through due to a rule a couple lines down (rule 4) that allowed a port range that happened to include port 3389. So my question is if I specify an "allowed" time range and someone attempts access outside that time range, why doesn't it drop it right there? I guess I'm assuming that anything outside the "allowed" time range would be dropped but that doesn't seem to be the case. I'm also assuming the rule base is processed top to bottom.
View 2 Replies
View Related
Feb 10, 2010
I installed a new ASA using 8.2.2 version and ASDM 6.2.5 version in contexts mode.When i enable logging for ASDM as debugging i cannot use the real time log viewer because I have an error "Syslog connection Lost. Try restarting the syslog connection", I tried to reconnect using the icon at the bottom but nothing change.
View 9 Replies
View Related
Mar 15, 2012
I have an ACS 5.2 VM that went down during an ESX host issue. Since it has no VMWare tools, it didn't migrate to another host very nicely. When the box came up, I had to delete the Virtual nic and re-add it and then set up the IP info again to get the VM communicating on the network.Currently the ACS box is not logging anything. There are no logs visable. What can I do to check why there are no logs visable? Authentication is working because wireless uses are still getting on the wireless network, but there are no logs that show passed or failed attempts.
View 4 Replies
View Related
Jul 8, 2012
I just bought a WAP321 Wireless AP. I wonder why it cannot sync with our time server automatically. Every time I reboot it, the system time become "Fri Dec 31 1999 12:00:00 UCT". I have to do the sync manually by clicking on the "Save" button under the menu Administration > Time Setting.
View 5 Replies
View Related
Feb 18, 2012
I want send ACS logs to a syslog server .I have configured syslog under System Administration --> Configuration -->Remote Log Targets .
Name : Syslog Server
IP : x.x.x.x
Port : 514
Facility Code:Local 6
Maximum length :1024
I have open the respective ports also in firewall .But Syslog server is not getting any logs from ACS .I have another log target ,which is ACS secondary server to collect the log from primary and secondary with below config.whch is working fine
Name :Logcollector
IP : x.x.x.x
Port : 20514
Facility Code:Local 6
Maximum length :1024
View 7 Replies
View Related
Aug 21, 2011
I have 3 ACS 5.2 servers both here and in the US. On friday night, our building lost power and it came back up early saturday morning. During this, the Wireless controllers dropped their configs and reverted back to point to the old ACS servers again. After fixing this, all wireless works now in my location. But, ACS is not logging my sessions even though i can connect to wireless with phone or laptop. It should log the authentication process if the server is here or in the US, but it is only logging for the other 2 servers. now on a weird note, the VPN for users in this location is authenticationg just fine.
View 2 Replies
View Related
Apr 30, 2013
I am looking for the way how to disagle logging of one user. We are using one testing user for checking accesibility of ACS from large number of switches - this checking exhausting logs quite quickly. Is it possible to disable logging of such user?
View 2 Replies
View Related
Dec 4, 2011
how can I configure ACS 5.2 to send syslog messages to CS-MARS?
View 3 Replies
View Related
May 9, 2013
We have a distributed ACS 5.3 set up - a PR and DR replicating successfully.I've set up 4 remote syslog targets. 2 of them are at the same site as the PR ACS and 2 are at the same site as the DR ACS.The logging collector is set on the PR ACS.
The problem is that it "appears" that PR ACS is only sending PR ACS syslog info to one of the remote syslog targets out of the four.
The syslog target which does receive from the PR ACS is at the same site as the PR ACS.
"appears" means that some one has looked on the syslog targets to see what's been received / or not received.
I've been told that the syslog traffic for syslog targets is being received from the DR ACS. Which is strange as the PR ACS is the actual log collector (and is not at the same site as the DR ACS).
I've also got Alarm Syslog targets set up on the PR ACS , (2 are the same ip addresses used in the 4 remote syslog targets). IP addresses of the remote syslog targets have been double checked and can be pinged from each ACS (PR and DR).
View 5 Replies
View Related
Nov 30, 2011
Is the feature "event logging" that is present on ACS 4.2 with the option to "send all events to the windows event log" no longer supported in ACS 5.2?
View 1 Replies
View Related
Jul 26, 2011
I have a WCS working on version 7.0.172.0.Is there a way to send the alarms produced by WCS to another Syslog Server?
View 4 Replies
View Related
Mar 4, 2012
I am trying to setup syslog server on LMS 4.0.Everything seems to be working fine but I have a lot of stragne logs in my syslog.log file.Every single day I receive logs like :
Mar 05 09:31:03 127.0.0.1 100: <30> dmgt[1136]: 3007(I):Started application(1015) "e:CSCOpx�incwjava.exe -cw:jre lib/jre -cp e:CSCOpxMDC omcatsharedlibMICE.jar;e:CSCOpxMDC omcatsharedlibNATIVE.jar;e:CSCOpxMDC omcatsharedlibjdom.jar;e:CSCOpxMDC omcatsharedlibxalan.jar;e:CSCOpxMDC omcatsharedlibxerces.jar;e:CSCOpxMDC omcatcommonlibservlet.jar;e:CSCOpxMDC omcatsharedlibcastor-0.9.5.jar;e:CSCOpxMDC omcatsharedlibcastor-0.9.5-xml.jar;e:CSCOpxlibclasspath;e:CSCOpxwwwclasspath;wwwclasspathvbjorb.jar;MDC omcatwebappsupmWEB-INFclasses;libjrelibendorsedjacorb.jar;MDC omcatwebappsupmWEB-INFlibctm.jar;MDC omcatwebappsupmWEB-INFliblog4j.jar;MDC omcatwebappsupmWEB-INFlibjep-3.2.0.jar;MDC omcatwebappsupmWEB-
[code]....
I dont want to get any logs from 127.0.0.1. Is it possible to filter out logs from server ?
View 3 Replies
View Related
May 9, 2011
I need to setup a syslog server for PIX w/ 6.2 and was hoping to get detailed instruction how to go about it. I would like exact syntax w/ an example on the pix and any configuration on the computer that will be receiving the log info. I have downloaded tftpd32 onto computer
View 1 Replies
View Related
May 16, 2012
I would like to know whether LMS 4.1 (local server mode) has the ability to relay syslog messages received from devices to an external syslog server? If so, how do I configure such?
From reading the document and going through the LMS 4.1 GUI, it appears that it could receive and forward messages but only between LMS system (ie. multi server mode) as SSL is required.
View 1 Replies
View Related
Feb 12, 2012
I want to forward syslog messages that I receive in my Cisco Works server to another server,what is the best way to accomplish this. I'm running LMS3.2 on Solaris 10.
View 3 Replies
View Related
Mar 9, 2013
I'm having an issue with the syslog.
My configuration is:
LAN A (RV042)<-> GW to GW tunnel <-> (RV082) LAN B
On LAN A, I got a NAS with a syslog server. On the RV042, I've set the parameters for the syslog server, and it's working fine. On the RV082, I've set the same parameters and noting is happening.
As troubleshooting, I've done the following:
-On the RV082, I can ping the NAS without problems.
-On the RV082, I've set my computer IP adress as syslog server IP and with packet analyser, I not seing any UDP packets.
View 6 Replies
View Related
Jan 16, 2013
Is there an .ISO file for installing on Windows Server20888SR2 ?
View 1 Replies
View Related
Mar 19, 2013
I got a new Cisco 3845 under my adminsitration. For some special events I do automated actions (e-mail's) from Cisco Works 2000.
One is if power supply fails. Problem now is, tha a ps fail message will be repeated every 20 seconds to syslog server - but local log on router only once.
View 1 Replies
View Related
Feb 7, 2011
I have a WAP4410N access Point, firmware 2.0.1.0. I have configured a Kiwi syslog server to get the log from the WAP4410N, but the log information obtained is just the "standard event log" and not the detailed log (every connection source and destination IP address,IP server,and number of bytes transferred) , according to the manual of the access point.what I have to do? firmware update? another syslog server?
View 1 Replies
View Related
Oct 26, 2011
We use multiple ASA 5500/5580 cluster systems running 8.3 software versions.Actually we send all our FW syslog data to a SIEM appliance in a DMZ on a remote firewall (non-asa). Recently we suffered a strange incident while implementing a new SIEM collection station now situated in a dmz that is located on one of the ASA contexts. We redirected the syslog streams to the new client for one of the contexts on the ASA cluster that holds the new SIEM agent DMZ..since we did this and redirected the syslog we see double traffic and spoofing errors on that context
a/ the ASA keeps sending out the syslog traffic to the OLD SIEM agent server ip (there is however no trace of its ip in the config)
b/ the traffic leaving the interconnection interface towards the OLD SIEM agent gets a SPOOFING error on the traffic
c/ strangely the data gets also correctly forwarded to the new SIEM collection stations.
We started out with redirecting traffic on only one of the 5 contexts to the new environment and kept logging the others to the old system.I finally got out of the issue by reconfiguring al the other contexts to forward their syslog towards the same new server , since that moment we no longer have the double logging and spoofing error , all syslog traffic goes correctly to the new SIEM agent. It looked like some remenants of the old syslog config remainded on the asa event after deleting and introducing a new config line (we used the asdm to execute the action) as said either it kept the old config or it looked in the other context and "decided" to keep sending to the old server also mentioned in that syslog can find the behaviour in any buglists either way.
View 1 Replies
View Related
Mar 13, 2011
i'm about to configure a syslog server to receive syslog messages from a Cisco ASA5510 and being it a one week test I was wondering how much space should I allocate on the machine hosting the tool (kiwi syslog). I see that the ASA fills the internal syslog buffer to 4MB and then it overrides it. How many messages would those 4MB be?
View 2 Replies
View Related
