Cisco ACS

Cisco Access Control System (ACS) is one of Cisco’s end-of-life products that enhanced visibility and controlled the access of your users across your domain. Read more about the product here: https://www.cisco.com/c/en/us/products/security/secure-access-control-system/index.html

You can configure the Cisco appliance to send VPN data to InsightIDR.

InsightIDR only supports Cisco ACS versions 5.x and higher.

Configure Cisco ACS

You must configure the appliance to send syslog to InsightIDR.

To configure syslog forwarding:

  1. Sign in to your Cisco Secure ACS console.
  2. Expand System Administrator > Log Configuration and select the Remote Log Targets page.
  3. Click the Create button to create a new syslog target. The log type should automatically be “Syslog.”
  4. Provide a name for the syslog target, for example, “InsightIDR Collector.”
  5. Enter the IP address of your InsightIDR Collector in the “IP Address” field.
  6. Enter the unique port on the Collector that will receive the VPN events.
  7. Enter the maximum length of the remote log target messages.
  8. Click the Submit button to save the configuration.
  1. From the left menu, select Logging Categories > Global.
  2. Select the ACS Logs radio button at the top.
  3. Click the Edit button at the bottom.
  1. Select the Remote Syslog Target tab.
  2. In the “Available Targets” list, select the InsightIDR Collector you identified previously and click the > button to move it into the “Selected Targets” list.
  3. Click the Submit button to save the configuration.

For additional, detailed instructions, and examples of logs, you can read more about this configuration here: https://community.cisco.com/t5/security-documents/acs-5-x-configuring-the-external-syslog-server/ta-p/3143143

Configure Cisco ACS in InsightIDR

Now you must configure an event source in InsightIDR to capture the Cisco ACS syslog. To do so:

  1. From your dashboard, select Data Collection from the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the VPN icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select an attribution source.
  8. Optionally configure inactivity timeout threshold in minutes.
  9. Configure your default domain and any advanced settings.
  10. Select syslog as your collection method and specify the port and protocol you identified during Cisco ACS configuration.
  • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  1. Click the Save button.

Attribution source options

Cisco ACS product logs can contain information about hosts and accounts. When setting up Cisco ACS as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.