extraxi news, hints 'n' tips

CSVSync V3.0

2008-07-17T15:38:00.003+01:00

Released a week or two ago, this new version of csvsync can automate the process of exporting the ACS database via the Support function.

We posted about this a while back here and now its officially released.

If you have an active support & maintenance contract you get an automatic 40% discount on list price, and if you purchase aaa-reports! enterprise you'll get it bundled.

Cisco Secure ACS View 4.0

2008-05-19T14:54:00.011+01:00

Well they've been talking about it for long enough... and finally Cisco Secure ACS View 4.0 arrived. Although we have not actually been able to see it in the flesh on first look it seems OK. However Cisco have made some questionable architecture choices.. #1 being that they based log collection on syslog and #2 its appliance only.

Ok, so syslog is one of the widest used logging protocols (historically) but its hardly the robust transport one would wish for when logging security events. The implementation by ACS is also hampered by their choice of format... basically each syslog packet comprises a single line of log data of the form "attr=value, attr=value, ... " so there is a lot of bloat in carrying the attribute names. Its unlikely that complex ACS deployments will be able to log all the required attributes in a single syslog packet (1024 characters max in ACS 4.1). The View user guide does include the odd explanation that is ok to receive partial data because the rest will get picked up at a later date (presumably by importing the ACS cab file). Yikes - creating a cab requires you stop (or at least pause) the ACS services AND importing the same data twice could lead to duplicate rows.

So it uses syslog (unreliable, non-ack'd, un-encrypted) to send partial (1024 characters we guess) log entries using a bloated ascii format that buries attributes names in the data. That could add up to a whole load more WAN traffic if your ACSs are distributed.

extraxi aaa-reports! on the other hand uses the tried and tested bulk download over http(s) using our csvsync client to download logs. The benefit here being that ACS just does what it does best - log locally then csvsync/aaa-reports! download the logs in bulk (and with encryption) at a time of your choosing.

Being appliance only there is no trial version so you cant test it before buying. It really only works with 4.1(4) but needs 4.2(1) to work well - so if you currently still have some 3.x servers in production you're out of luck. extraxi aaa-reports! works with all versions from 2.x through to 4.x and can be installed on anything from Windows XP to Server 2003 Terminal Server running inside VMWare.

On the topic of database size, View is based on Sybase SQL Anywhere which has a fixed 4GB of storage. aaa-reports! enterprise (due for release end of May 2008) uses multiple SQL Server Express databases offering a total of 48GB.

More as it arrives...

Installing aaa-reports! with Terminal Services

2008-05-15T11:53:00.000+01:00

As with any other application, to install on Windows Terminal Server you should do one of two things:

Use "Add/Remove Programs" in Control Panel to launch the application installer rather than just double-click the setup.exe, or
From the command line type "change user /install" before running the setup.

Either of one of these will put the server into install mode and will ensure that installed components and registry changes are made for all users.

Failure to do one of the above will result in the application not functioning correctly for other users because DLLs will not be installed into the global Windows\System32 folder but instead into your own personnal folder under Documents and Settings.

We recommend using the Add/Remove Programs method as is by far the simplest and future proofed.

New Features For CSVSync

2008-05-01T14:17:00.003+01:00

Quite a few customers have expressed the desire to generate and collect the ACS Support Cab (package.cab) using csvsync. This gives the advantage of being able schedule the operation via a script on a remote PC - essential if your ACS is the Appliance kind.

In testing now is the next version of csvsync with exactly this feature. You can connect to the following versions of ACS to collect the cab file:

Appliance v4.0(1) onwards
Software v4.1(4) onwards

Prior to v4.1(4) the Support page was not available via ACS Admin Software version.

Beta expected the next couple of weeks.

ACS v4.1(4) Compatibility Issue Resolved

2008-04-22T16:01:00.001+01:00

A new build of aaa-reports! v2.2.1 has been posted today that resolves all known issues with importing ACS v4.1(4) cab and dump files.

Hoorah!

aaa-reports! enterprise edition - beta now available

2008-03-20T11:06:00.003Z

aaa-reports! enterprise edition beta 2 is now available for download. Please use our contact page to request a copy.

New feature highlights:

Scalable SQL Server Express databases for upto 48GB capacity.
Advanced parameter filter on canned reports (equal, like, null, ...) incl wildcards.
Enhanced Query Builder. Re-order & re-name columns + complex expressions.
All ACS log types now supported (incl. appliance, replication etc).
New look UI and usability enhancements.

Note the system requirements for this version are higher than for aaa-reports! v2.x and this is because it uses SQL Server as the main repository. Ideally you would be installing on a dual/quad core 2 system with at least 2GB RAM.

There are two installers which must be used in the correct order:

Environment setup. Installs .NET framework and SQL Server Express
Application setup

ACS v4.1(4) Compatibility Issue

2008-01-23T15:53:00.000Z

If you have recently upgraded to ACS v4.1(4) there is a compatibility issue when importing the ACS database into aaa-reports! due to file format changes inside the cab and dump files.

We've posted a fixed build (15th Jan) onto the download site for the .cab file issue and are working on the dump file import now.

If you experience the error "database contains no groups or users" when importing the database you need this patch. The patched aaa-reports! version is "FE 2.2342" (click help/about to check)

Merry Christmas!

2007-12-25T16:41:00.000Z

To any and all who celebrate this time of year....

... and especially our customers

Have a great one!!

aaa-reports! enterprise... sneak preview

2007-12-20T09:32:00.000Z

Well we're almost there for the first beta of aaa-reports! enterprise. The screenshots below show off our refreshed UI (ok.. about time!)

This is a major step forward for aaa-reports! with an all new back end based on SQL Server Express giving us a total of 32GB of storage. Of course we're keeping the multi-DB feature so you actually get n*32GB !!

For our biggest customers there is also the option to swap out Express with full blown SQL Server.

Switching to SQL Server enables a whole wealth of server-sided filtering that wasnt possible before. As a result all of the canned reports can now be filtered on one or more attributes, eg Network Device Group, Group etc allowing you to make them as general or specific as you wish. The reports also appear much faster as the datasets are created in SQL Server.

Oh and the query builder has undergone a major overhaul to allow column ordering to be saved, column renaming and even free form SQL statement entry for very advanced users.

Negative values in canned reports

2007-11-29T11:53:00.000Z

This week we had some reports of very large negative values in our canned reports - in particular the device utilisation reports.

After some delving it turned out to be the customers PIX sending garbage values in the TACACS+ "elapsed time" attribute.

The customer is now following this up with Cisco.

aaa-reports! "Software as a service"

2007-11-24T20:36:00.000Z

For those of you out there that don't want the hassle or expense of managing yet another Windows server but still want to benefit from extraxi's reporting expertise...

We are developing a virtually hosted subscription based offering with our partner 1&1 Internet Ltd. For a fraction of the TCO of a real Windows server we will offer a choice of shared virtual server or dedicated server - both running industry standard Windows Server 2003. 1&1 are one of Europe's largest ISPs and offer state of the art hosting facilities with unparalleled uptime.

The solution comprises extraxi csvsync for collecting logs from all your ACS servers, a secure FTP client for pushing logs onto the hosted server. You then have FULL terminal service access to the server with a pre-installed copy of aaa-reports! with automation.

Report PDFs are published to an IIS web folder where your authenticated users can download directly over secure https.

For more information please contact us

Online Quote & Ordering Page

2007-11-05T14:16:00.001Z

You can get quotes and submit orders online at

http://www.extraxi.com/order1.asp

Extraxi Licensing FAQ

2007-11-05T14:07:00.000Z

When you want to order copies of any extraxi product there are several factors that decide the cost:

Number of AAA servers you wish to report against
Number of installed copies you wish to purchase
Maintenance & support requirements

Its a common mistake to assume if you have 2 AAA servers you need 2 copies of say aaa-reports! as well - you don't. A single copy of aaa-reports! can import logs from 10's of servers.

You only need multiple copies if you want to install on multiple PCs - for example if you wanted a copy in two locations.

aaa-reports! v2.2.1 released

2007-11-03T15:04:00.000Z

aaa-reports! v2.2.1 is now available in our downloads area via the trial request page.

For details about features see the previous post.

Scripting Automation and MS Office

2007-10-18T11:59:00.000+01:00

Here's one that can trip you up.

If you create a specific Windows user account for running aaa-reports! automation (most people do) and you have retail MS Office installed on the same PC.... you'll need to login as this user and start an Office app (eg Word) at least ONCE. When you do this Office will spot its a new user and prompt you to confirm your name an initials.

Now, when aaa-reports! automation kicks in Office will not throw a spanner in the works by asking for user details.

Otherwise an unattended session is left waiting for user input and you'll think aaa-reports! is broken. Thank you Microsoft!

aaa-reports! v2.2.1

2007-10-17T17:13:00.000+01:00

v2.2.1 will be posted onto the download page in the next week or so. This release has some significant new features and as usual is available free for customers with support contracts.

Enhancements include

Multi-Database feature enhanced to allow database “cloning”. Cloning allows the creation of a new database by copying any existing database and provides a simple mechanism to quickly create pre-configured blank databases or copy existing populated databases for diagnostic work or as point-in-time snapshots.
User List import (for inactive user reports). It is now possible to populate the User List from an ACS Dump/CAB File. Where users have access to the Dump/CAB file this can be imported instead of creating and importing a separate CSV file with User List data.
New Data Purge facility with much improved filtering and selection options to make it easier to identify and purge specific log data.
Improved processing of ACS logs to find and handle known problematic issues with log content.
Support for very long filenames (previously 64 characters) to offer more flexibility when processing logs with CSVsync and/or CSVsplit and adding descriptive suffixes and AAA Server names to create meaningful filenames.
Recognition of logs with underscores in place of spaces in their filenames. Some systems appear to automatically insert underscores into filenames when downloading logs from ACS, e.g. “Administration Audit 2007-10-10.csv” becomes “Administration_Audit_2007-10-10.csv”. Previously filenames with underscores were not recognised as valid log files.
Improved detection and warning when importing logs that have a different date format to the MDY or DMY setting in Options. Specifying the wrong date format will result in log dates being misinterpreted and have adverse affects on the integrity of reports.
Extended handling of common issues with log content that can otherwise prevent logs being parsed correctly.
Improved regional support for the Log Import process running in Locales where the comma character “ , ‘” is not used as the Field Separator character. Users in most affected regions no longer have to change to a compatible locale prior to importing log files.

Support for ACS Express v5

2007-10-16T11:31:00.000+01:00

We are curently working with Cisco to add support for ACS v5.0 to aaa-reports!

A version of aaa-reports! with ACS v5.0 support is planned to coincide with the full feature version of ACS shipping in late 2008.

What Can Extraxi Get From The ACS Database?

2007-10-12T15:48:00.000+01:00

aaa-reports! support for importing (and reporting against) data from the Cisco ACS database has grown over time. In v1.x we could import users and group assignments from a CSV file.

In v2.0 we added the csutil "dump.txt" and also included account expiry, password aging, user defined fields (eg Real Name, Description etc) and a whole lot more.

In v2.1 we started to look at TACACS+ Device Admin (TDA) policy to pull in Shared Device Command Sets (DCS) for Shell and PIX, IP based Network Access Restrictions (Group & Shared), Network Device Group (NDG) memberships. Finally aaa-reports! is able to look into each ACS group to pull in the Shell & PIX service authorizations:

Service enabled (y/n)
Service attributes (returned after authentication)
Group level access restrictions
Shared access restrictions
Group level shell/pix command authorisations
Shared shell/pix command authorisations (via NDG->DCS mappings)

With all this data imported we can offer reports to both document the config (eg our group/user detail report that has layout similar to the ACS UI) and explore the config (eg who has access to what devices AND what commands can they execute. Also, the Query Builder can see the same data too - so you can create custom reports about the users in the ACS db too!

Cool huh?

Of course, the next question is how to get the data OUT of ACS and then IN to aaa-reports!

If you have ACS v4.x on either software or appliances its easy. You just create a support "package.cab" using either the command line cssupport.exe (s/w version) or the Support admin page (appliance version). Make sure you tick the check boxes to include the user & group db + config.

If you have ACS v3.x then unfortunately the appliance is not supported. On the s/w version we have a script you can download to suck the data out - available on our download page.

Once you have a .cab file (from either of the methods above) you just click on Import ACS Database on the aaa-reports Import page.

Minimum Server Spec for aaa-reports!

2007-10-11T14:20:00.000+01:00

Virtually any new server PC/blade will be powerful enough to run aaa-reports! Afterall because of Moore's Law server specs have gone up considerably since our v1.0 release.

Here is Microsoft's guide to the hardware requirements for Server 2003. The R2 datacenter reqs probably make the most sense.

BTW the same goes for csvsync and csvsplit too.

aaa-reports! on the ACS server?

2007-10-11T14:13:00.000+01:00

A lot of poeple will ask if its ok to install aaa-reports! on the same server as ACS is installed on.

The answer is you can... but we dont recommend it. The reasons being:

aaa-reports! will greedily try to use all available CPU while importing and running reports, so depending on the amount of data this could represent quite heavy usage for minutes at a time. This could in turn affect the performance of your ACS server.
The ACS services have active csv's (ie the files it is currently writing to) locked. So the aaa-reports! move-on-import feature will not work and you might get incomplete rows imported.

Best practice is to roll out a dedicated server (or VM) with plenty of hard drive space and make it the "reporting server" and the log repository.

Date Format Woes (updated)

2007-10-11T11:54:00.000+01:00

One thing to check BEFORE importing any CSV files into aaa-reports! is that you configure the date format options to match your ACS server.

That is either DMY or MDY

If these do not match aaa-reports! will still import your logs, but it will get the day and month mixed up. For example, data from July 10th will appear to be from November 7th. Worse still, is that any rows dated after the 12th day of the month will look invalid (ie the month will look greater than 12) and be dropped.

Also, if you change the date format in ACS, it will not roll the active logs. Great - you end up with both formats in a single log. This is enough to confuse any database batch import (or even ODBC insert) process.

We'll look at actually rejecting logs completely if it looks like the date format is wrong - probably in v2.2.1 - in fact several additional checks are being added:

The date of the first row MUST be later than the date stamp in the csv filename
The day/month should not appear to reverse from one row to another

extraxi Software On Linux

2007-10-02T14:31:00.000+01:00

We know some organisations try to run Windows apps on Linux using emulators such as Wine.

To our knowledge aaa-reports! has not been tried.
csvsplit should work no problem as its a command line program.
csvsync v1.0 was known to work, but v2.0 changed winsock libraries which revealed a bug in (the then current version of) Wine.

At present we have no plans to officially test or support this. However, if you tried it please let us know!

System Locale Issues

2007-10-01T15:52:00.000+01:00

If you're in the USA... you can skip this item ;)

For everyone else, particularly those in Europe its important to note that some locales do not use the comma as the seperator inside a CSV file. OK, this is a bit wacky as the C in CSV stands for Comma, but there you go!

CSVs produced by Cisco Secure ACS are hard coded to use comma's. aaa-reports! uses ODBC to import logs and this uses the system locale to know how they are delimetered.. hence the problem.

If your locale setting says the delimeter is a semi-colon ODBC will complain when it sees comma's. The workaround is to set your locale to USA or other county that uses the comma.

We are actively looking for a better solution and hope to fix this issue in aaa-reports! v2.2.1

Getting More Data Into aaa-reports!

2007-09-14T11:21:00.000+01:00

Sooner or later the aaa-reports! database will fill up. If you have automation, old data will automagically be purged to make space for new logs resulting in a "reporting window" whose size depends on the amount of data imported every day. The more you import the smaller the window.

To make the window as large as possible there are some tricks you can try:

Filter out junk data. In many TACACS+ Admin logs up to 90% of rows can be full of scripted commands from (amongst others) CiscoWorks. By setting up a pre-filter (Options/Import Options/Pre-Filter) you can filter out rows containing strings such as "Scripts", "ping" or "show". This can drastically increase the reporting window as matching rows are simply discarded during import.
Use Multi-DB (new in v2.2). Depending on your deployment it may be possible to split your data and import each dataset into its own aaa-reports! backend database (or multi-db). For example, you have 2 ACS servers - one handling VPN and the other Device Admin. This is a prime candiate for 2 multi-dbs. Multi-Db can be enabled via the Options page.

The next major release, aaa-reports! enterprise edition, will feature an entirely new backend database engine with approximately 32GB of storage. Combined with Multi-DB and that's a HUGE potential.

aaa-reports! and VMWare

2007-09-05T09:34:00.000+01:00

We get asked this all the time... "Does aaa-reports! work inside a VM?"

Yes it does!