Configuration of an ACS device to forward syslog events to IBM
QRadar.
About this task
Take the following steps to configure the ACS device to forward syslog events to QRadar
Procedure
-
Log in to your Cisco ACS device.
-
On the navigation menu, click System Configuration.
The System Configuration page opens.
-
Click Logging.
The logging configuration is displayed.
-
In the Syslog column for Failed Attempts, click
Configure.
The Enable Logging window is displayed.
-
Select the Log to Syslog Failed Attempts report check box.
-
Add the following Logged Attributes:
- Message-Type
- User-Name
- Nas-IP-Address
- Authen-Failure-Code
- Caller-ID
- NAS-Port
- Author-Data
- Group-Name
- Filter Information
- Logged Remotely
-
Configure the following syslog parameters:
Table 1. Syslog parameters
Parameter
|
Description
|
IP |
Type the IP address of QRadar.
|
Port |
Type the syslog port number of IBM
QRadar. The default is port
514.
|
Max message length (Bytes) - Type |
Type 1024 as the maximum syslog message length.
|
Note: Cisco ACS provides syslog report information for a maximum of two syslog servers.
-
Click Submit.
You are now ready to configure the log source in QRadar.