Configure the Remote Log Target
To configure Cisco ACS Log Collection, a Remote Log Target must be created. Before starting these instructions, acquire the IP address of the System Monitor that will be collecting Cisco ACS logs.
- From the Cisco ACS user interface, click System Administrator, click Configuration, and then click Remote Log Targets.
- Click Create.
- Click Remote Log Targets, and then click Create.
- Complete the following required fields:
- Name. LogRhythm
- Description. LogRhythm Logging
- Type. Syslog
IP Address. Enter the IP of the LogRhythm System Monitor.
Do not change any Advanced settings. Changing these settings will cause unpredictable behavior in the log collecting process.
- Click Submit to save the configuration.
- Note the name of the log target just created because it is needed later in these instructions.
Configure Global Logging Severity
The severity level at which logs are collected must be configured. Follow these instructions to configure the severity level of the logs being collected.
- From the Cisco ACS user interface, click System Administrator, click Configuration, click Log Configuration, click Logging Categories, and then click Global.
- Select the radio button of the logging category to be configured, and then click Edit.
- Click Log Severity, and then choose from the following:
For diagnostic logging categories, use the list to select the severity level. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are:
- FATAL. Emergency. ACS is not usable and you must take action immediately.
- ERROR. Critical or error condition.
- WARN. Normal, but significant condition. (Default)
- INFO. Informational message.
- DEBUG. Diagnostic bug message.
- Click Submit to save the changes.
Configure Global Logging Categories
Logging categories determine the kind of logs to be collected. These categories must be assigned to the Remote Target previously created in the Configure the Remote Log Target instructions.
- From the Cisco ACS user interface, click System Administration, click Log Configuration, click Logging Categories, and then click Global.
- Select a logging category for which you want to receive logs.
- Click the Remote Syslog Target tab.
- In the Available Targets field, click the target created in the Create Remote Log Target instructions.
- Click the greater than (>) button.
- Click Submit.
- Repeat for each logging category for which you want to receive logs.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is Syslog - Cisco ACS. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.