Support User Manuals

Cisco Systems 4.2 Server User Manual

Open as PDF

of 214

8-5

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 8 Syslog Logging Configuration Scenario

Format of Syslog Messages in ACS Reports

All ACS syslog messages use a severity value of 6 (informational).

For example, if the facility value is 13 and the severity value is 6, the Priority value is 110 ((8 x 13) +

6). The Priority value appears according to the syslog server setup, and might appear as

one of:

– System3.Info

– <110>

Note You cannot configure the format of the syslog facility and severity on ACS.

The following sample syslog message shows how the facility code and other information might look in

an ACS-generated syslog message:

<110> Oct 16 08:58:07 64.103.114.149 CisACS_13_AdminAudit 18729fp11 1 0 AAA

Server=tfurman-w2k,admin-username=local_login,browser-ip=127.0.0.1,text-message=Administra

tion session finished,

In this example, <110 >represents the calculated value when the facility code is 13 (the log audit facility

code).

Message Length Restrictions

When an ACS message exceeds the syslog standard length limitation or target length limitation, the

message content is split into several segments:

• If all attribute-value elements fit into one segment then no segmentation is performed.

• If the message does not fit into one segment, the message is split between attribute-value pairs,

keeping an attribute-value pair complete within the segment. That is, the first segment ends with a

semicolon (;), while the next segment’s content starts with the next attribute-value pair.

• In rare cases when one attribute-value pair is too long to fit in one segment all by itself, the value is

segmented between sequenced segments of the message. Such segmentation might happen if

attribute value contains several hundreds of characters. In general, ACS attribute values are designed

to avoid such length.

All segments of one message have exactly the same header. The <msg_id> and <total_seg> values are

shared between all segments. The <

seg#> is set according to number of segments and the relative part

of the content follows.

Use the following message length restrictions:

• For sending messages to a standard syslog server, the maximum message length should be 1024

bytes.

• For sending messages to Cisco Security Monitoring, Analysis and Response System (MARS), the

maximum message length should be 500 bytes.

• Message segmentation should be used when the original message, including header and data,

exceeds length limitations.

previous next