H-9
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
AppendixH Ci scoSecure ACS Internal Architecture CSMon
immediate warning of "brute force" attacks by alerting the administrator to a large
number of accounts becoming disabled. In addition, it facilitates a support help
desk to anticipate problems with individual users gaining access.
RecordingCSMon records all exception events in logs that you can use to diagnose
problems. CSMon puts the logs in two places, sends notification(s), and responds:
•CSMon Log—Like the other Cisco Secure ACS components, CSMon
maintains a CSV log of its own for diagnostic and error logging. Because this
logging consumes relatively small amounts of resources, CSMon logging
cannot be disabled.
•WindowsNT/2000 Event Log—In addition to the native CiscoSecure service
logging, CSMon logs all messages to the WindowsNT/2000 Event Log.
Logging to the WindowsNT/2000 Event Log is enabled by default but can be
disabled.
•Notification—CSMon can be configured to notify system administrators in
the following cases:
•Exception events (including the current state of Cisco Secure ACS)
•Response
•Outcome of the response (including the current state of Cisco Secure ACS)
The default notification method is simple mail-transfer protocol (SMTP)
e-mail, but you can create scripts to enable other methods.
•Response—CSMon detects exception events that affect the integrity of the
service. Monitored events are listed above. These events are
application-specific and hard-coded into Cisco Secure ACS. There are two
types of responses:
–
Warning events—Service is maintained but some monitored threshold is
breached
–
Failure events—One or more Cisco Secure ACS components stop
providing service