Recording - Cisco Servers User Manual

Appendix H Cisco Secure ACS Internal Architecture

Recording

78-13751-01, Version 3.0
immediate warning of "brute force" attacks by alerting the administrator to a large
number of accounts becoming disabled. In addition, it facilitates a support help
desk to anticipate problems with individual users gaining access.
CSMon records all exception events in logs that you can use to diagnose
problems. CSMon puts the logs in two places, sends notification(s), and responds:
CSMon Log—Like the other Cisco Secure ACS components, CSMon
•
maintains a CSV log of its own for diagnostic and error logging. Because this
logging consumes relatively small amounts of resources, CSMon logging
cannot be disabled.
Windows NT/2000 Event Log—In addition to the native CiscoSecure service
•
logging, CSMon logs all messages to the Windows NT/2000 Event Log.
Logging to the Windows NT/2000 Event Log is enabled by default but can be
disabled.
Notification—CSMon can be configured to notify system administrators in
•
the following cases:
Exception events (including the current state of Cisco Secure ACS)
•
• Response
Outcome of the response (including the current state of Cisco Secure ACS)
•
The default notification method is simple mail-transfer protocol (SMTP)
e-mail, but you can create scripts to enable other methods.
• Response—CSMon detects exception events that affect the integrity of the
service. Monitored events are listed above. These events are
application-specific and hard-coded into Cisco Secure ACS. There are two
types of responses:
– Warning events—Service is maintained but some monitored threshold is
breached
– Failure events—One or more Cisco Secure ACS components stop
providing service
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
CSMon
H-9