Cisco ACS Configuration

Cisco ACS is a policy-based security server that provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to your network. ACS facilitates the administrative management of Cisco and non-Cisco devices and applications.

Prerequisites

• Need Admin Login credentials for the Cisco ACS.

Configuration

Create a Remote Log Target

1. Log in to your Cisco ACS appliance.
2. On the navigation menu, click System Administration > Configuration > Log Configuration > Remote Log Targets.

• • Step 1: Click on Remote Log target under log configuration then click on Create button to define the external syslog server.

• • Step 2: Click Create, now enter the name of syslog Server and the Forwarder IP address of the same, you can also mention the port number ‘11553’.
  • Click Submit.

Configure global logging categories

Step1: On the navigation menu, click System Administration > Configuration > Log Configuration > Global.

• Select the logging category for which you want to send the logs to the external syslog server. Here we want to send all the passed authentication logs to external syslog server.

Step2: Click Edit and go to the Remote Syslog Target tab.
Now move the configured syslog server to the selected target and then click submit.

Now the Logs will generating the chronicle as SYSLOG + KV format with CISCO_ACS ingestion label.

Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.