Configuring syslog forwarding for Cisco ACS v4.x

Configuration of an ACS device to forward syslog events to IBM® QRadar®.

About this task

Take the following steps to configure the ACS device to forward syslog events to QRadar


  1. Log in to your Cisco ACS device.
  2. On the navigation menu, click System Configuration.

    The System Configuration page opens.

  3. Click Logging.

    The logging configuration is displayed.

  4. In the Syslog column for Failed Attempts, click Configure.

    The Enable Logging window is displayed.

  5. Select the Log to Syslog Failed Attempts report check box.
  6. Add the following Logged Attributes:
    • Message-Type
    • User-Name
    • Nas-IP-Address
    • Authen-Failure-Code
    • Caller-ID
    • NAS-Port
    • Author-Data
    • Group-Name
    • Filter Information
    • Logged Remotely
  7. Configure the following syslog parameters:
    Table 1. Syslog parameters




    Type the IP address of QRadar.


    Type the syslog port number of IBM QRadar. The default is port 514.

    Max message length (Bytes) - Type

    Type 1024 as the maximum syslog message length.

    Note: Cisco ACS provides syslog report information for a maximum of two syslog servers.
  8. Click Submit.

    You are now ready to configure the log source in QRadar.