Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Cisco ACS Collector

Created: 10 Sep 2012 • Updated: 05 Dec 2012 | 25 comments
This issue has been solved. See solution.

I just wanted to check and confirm that the Cisco ACS collector is an off box collector.

Therefore, I must add the linux SSIM agent to the linux server where ACS runs and then also install the ACS collector agent on the linux server, then just tell the SSIM to collect from that server.

As opposed to the SSIM being able to directly connect into and read a log/db on the ACS box, such as with the Symantec SEP collectors.

Comments 25 CommentsJump to latest comment

Laurent_c's picture

You can install the CISCO ACS collector on the SSIM itself.

Like any collector to install on SSIM you need to use the WEBUI and point to the jar file in the appliance folder of the collector.

It will work exactly as any other DB collector where you can use remote JDBC connection to get data.

smakovits's picture

Laurent, 

Thank you for the response.  I did install the collector on the SSIM itself and it appears under Product Configurations.  Now I just need to piece together the rest.  

I create a new configuration as usual, but now who is the computer?  Is it the SSIM itself, or do I set this to the ACS system where I will install the symagent and ACS collector?

Once that is sorted out, I need to set the log file directories, I assume I just then set those to the exact path  to the logs /usr/xxx/xxx/  or whatever it is as specified by my ACS admins?

Thanks

Laurent_c's picture

Just a slight change.

I mistaken the CISCO ACS Collector (Log File Sensor) for the MS ACS Collector (DB Sensor)

Because the CISCO ACS is a log file sensor, if you want to run it onboard the SSIM Agent you have to make the file to read available to this agent.

1- have a script SCP the file into a folder on the Agent on regular basis

2- Or have a remote mount, like a NFS share, and you point the Agent to read the file from the remote share.

This is Unix so be careful to permission.

This is why in general we recommend the Log File Sensor to be run locally, as it is easier to get access to the log. But it is not impossible to have a SSIM Agent reading them.

smakovits's picture

Yes, so I plan to install the SSIM agant onto the ACS box as well as the ACS collector.

Files:

symevtagent_linux_r4.7.1.21.tar.gz

Cisco_Secure_ACS_Event_Collector_4.3.7_AllWin_AllLinux_EN.zip

I will install them both on the ACS server.

Laurent_c's picture

It is easier to have this sort of collector on the machine itself, has the file tranfer, or remote access sometime causes network/permissions issue.

smakovits's picture

OK, so I was on the right path as described?  When configuring the sensor on the SSIM itself point the computer to the ACS box where the symagent and ACS collector is installed?

Laurent_c's picture

When you create a "configuration" in the UI, it needs to be assigned to the machine/Agent where the collector is installed.

Then the URL part in the Sensor properties, will point to where the DB is.

Hope it is clear.

smakovits's picture

What if my telecom guy wants to send the logs directly as a syslog dump?  He is sending it on the same port as the ASA collector and it is getting into the SSIM, but I am not sure if this is a good way to do things or not.

I am assuming bad because there is no way to seperate and store the data seperately in the SSIM and it will end up in the ASA data store and be unrelated to any product collector, but I am not sure.  With this method you can query the data, but beyond that, I am not sure about it.

I am hoping for some further direction to take back to them to say whether or not we can or should use the syslog dump vs using the actual collector on the SSIM the way it was intended.

Laurent_c's picture

There is no problem in running both CISCO ACS (syslog file) collector and CISCO ASA (syslog)

you cannot change the type of the sensor the collector is using.

Concerning Syslog Director, you can run multiple product all forwarded to 514 by using the Syslog director and redirecting the event to the right collector.

GarethR's picture

I too have noted that the ACS can forward the data via syslog, which is what we want to do. and it can arrive at the SSIM on a separate port from Cisco ASA and other syslog data as this is configurable on ACS, but can't point it at the SSIM Cisco ACS collector for normalisation because this collector is a file collector !!

How can we use the normalisation of the Cisco ACS Collector, yet receive via syslog ?

Gareth Rhys

Managed Services, SSIM, SCSP, SEP

Laurent_c's picture

Well to use the CISCO ACS logs in syslog format you need a new collector. The existing one is a log file sensor.

Avkash K's picture

Agreed with Laurent,

Cisco ACS is log file based collector, it can read only from log files.

If you will send ACS syslogs to SSIM directly then Generic Syslog collector will parse those logs according to base criteria.

But this is not the best way when you need to correlate the ACS logs.

Regards,

Avkash K

Pavel D.'s picture

Hello,

All the Cisco ACS version 5.0, 5.1, 5.2 is sending the events on syslog only. Then the collector for that will be created.

Regards,

olaf's picture

There should be a Cisco ACS Collector v5.0.10 available, which should work with those versions of Cisco ACS.

GarethR's picture

Will the Cisco ACS Collector v5.0.10 when available (from around Nov 5th presume) be a syslog collector, and be compatible with SSIM v4.7.4 or will they depend on SSIM 4.8 64bit implementation ?

Gareth Rhys

Managed Services, SSIM, SCSP, SEP

olaf's picture

it is also for 4.7 and it is a syslog sensor.

It should already be released. I try to get a temporary serial for fileconnect at the moment for SSIM 4.7, so i can check that is posted there.

olaf's picture

I just checked and Cisco_Secure_ACS_Event_Collector_5.0.10_AllWin_AllLinux_EN.zip is available on fileconnect for SSIM 4.7.

smakovits's picture

I just got this installed finally as the team I am working with to get this up and running is sending syslog vs installing a local agent.

The question I have is that it defaults to port 514, and I want to use 10534.  If I do a netstat 10534, how can I know for certain that the connection works since i am not seeing any new data coming in. 

I also want to ensure the syslog director is configured correctly.  Does anyone know the correct collector signature?  It was not added by default, so I had to add it manually and I am not sure if what I added was correct.  I tried the following:

SSCOacs_, %ACS

Just curious what other have configured with the 5.0 syslog collector.  Thanks

GarethR's picture

I also needed to collect from the ACS using syslog, as the ACS implementation is an appliance.

I just downloaded from Fileconnect and installed the Cisco ACS Collector 5.0 on the Linux SSIM Agent we are using to collect for the security zone, and it failed to install due to the event agent not being up to date, and no release of this Linux Event Agent 5.0 (contains 2.50?) on the Fileconnect portal !!

Latest is "symevtagent_linux_r4.7.1.21.tar.gz". The following error text is from the collector installation.

The Collector Provider is already installed!
The required version of Collector Provider is 2.50.00
The installed version of Collector Provider is 2.47.00
Updating Collector Provider up to version 2.50.00
Required version of Collector Provider (2.50) is missing

Is it available somewhere else ?

Thanks...

Gareth Rhys

Managed Services, SSIM, SCSP, SEP

smakovits's picture

Gareth, What version of SSIM software are you running?

Subhani's picture

 Since you are already familiar with Syslog Redirector so I will not talk about it .You can provide your screenshot and I can confirm if it is configured correctly .Both boxes should be check marked and The order of the collectors is very important as well .

other than that ,in order to see any hits from that server ,you can use tcpdump option .Here is how to use it .

Once logged in to SSIM via putty , do this .

su -

password:

tcpdump host <ip_address_of_Acs_Server>

If it works ,kindly mark it as the solution .

smakovits's picture

OK, did the tcpdump and I can see the connection being made, but I am not seeing the actual data.  Atleast I am not finding it.

smakovits's picture

I should note that the SSCOacs_ came from the actual sensor value that was defined by default.  I had to add the collector to the syslog director and specify the signature, so I just duplicated this.

Although looking back in the manual I see they say CSCOacs_ for signatures, so which is it and where should I have what I guess.  Is the default value in the sensor itself wrong?  Or leave the acs syslog sensor defaults and just put CSCOacs_ into the syslog director signature settings?

smakovits's picture

OK, I can confirm that this now works.

The default sensor signature is/was wrong and needs to be changed to CSCOacs_ (from SSCOacs_), then in the syslog director this also needs to be defined as CSCOacs_ and once distributed the colector works as expected.

SOLUTION
olaf's picture

Thanks for bringing this to our attention. The problem is within the sip package that ships with the collector.

I will forward this to the collector development team to get this reviewed.