Configuring syslog forwarding for Cisco ACS v4.x

Configuration of an ACS device to forward syslog events to the QRadar® product.

About this task

Take the following steps to configure the ACS device to forward syslog events to the QRadar product.

Procedure

  1. Log in to your Cisco ACS device.
  2. On the navigation menu, click System Configuration.

    The System Configuration page opens.

  3. Click Logging.

    The logging configuration is displayed.

  4. In the Syslog column for Failed Attempts, click Configure.

    The Enable Logging window is displayed.

  5. Select the Log to Syslog Failed Attempts report check box.
  6. Add the following Logged Attributes:
    • Message-Type
    • User-Name
    • Nas-IP-Address
    • Authen-Failure-Code
    • Caller-ID
    • NAS-Port
    • Author-Data
    • Group-Name
    • Filter Information
    • Logged Remotely
  7. Configure the following syslog parameters:
    Table 1. Syslog parameters

    Parameter

    Description
    IP

    Type the IP address of the QRadar product.
    Port

    Type the syslog port number of the QRadar product. The default is port 514.
    Max message length (Bytes) - Type

    Type 1024 as the maximum syslog message length.
    Note: Cisco ACS provides syslog report information for a maximum of two syslog servers.
  8. Click Submit.

    You are now ready to configure the data source in the QRadar product.