Cisco ACS

An example Syslog record from a Cisco Secure Access Control System (ACS) device looks like the following. For more information, refer to the Syslog Logging Configuration Scenario chapter in the Cisco Configuration Guide.

Log sample

<38>Oct 16 21:01:29 10.0.1.1 CisACS_02_FailedAuth 1k1fg93nk 1 0 Message-Type=Authen failed,User-Name=John,NAS-IP-Address=10.0.1.2,AAA Server=acs01

Example 1. Collecting Cisco Secure ACS logs

The following configuration file instructs NXLog Agent to accept syslog messages on UDP port 1514. The payload is parsed as Syslog and then the ACS-specific fields are extracted. The output is written to a file in JSON format.

nxlog.conf

<Extension _json>
    Module  xm_json
</Extension>

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in>
    Module  im_udp
    Host    0.0.0.0
    Port    1514
    <Exec>
      parse_syslog_bsd();
      if ( $Message =~ /^CisACS_(\d\d)_(\S+) (\S+) (\d+) (\d+) (.*)$/ )
      {
        $ACSCategoryNumber = $1;
        $ACSCategoryName = $2;
        $ACSMessageId = $3;
        $ACSTotalSegments = $4;
        $ACSSegmentNumber = $5;
        $ACSMessage = $6;
        if ( $ACSMessage =~ /Message-Type=([^\,]+)/ ) $ACSMessageType = $1;
        if ( $ACSMessage =~ /User-Name=([^\,]+)/ ) $AccountName = $1;
        if ( $ACSMessage =~ /NAS-IP-Address=([^\,]+)/ ) $ACSNASIPAddress = $1;
        if ( $ACSMessage =~ /AAA Server=([^\,]+)/ ) $ACSAAAServer = $1;
      }
      else log_warning("Does not match: " + $raw_event);
    </Exec>
</Input>

<Output out>
    Module  om_file
    File    "tmp/output.txt"
    Exec    to_json();
</Output>

Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

Last revision: 17 September 2018