Welcome to the extraxi blog...
The servers are predominantly used to secure network services such as dial, wireless lan, vpn, firewall and network device management.
Typically these servers just chuck out MBs of raw CSV log data about network activity. What we do is to help collect this data then import and turn it into useable information.
Monday, 19 May 2008
Ok, so syslog is one of the widest used logging protocols (historically) but its hardly the robust transport one would wish for when logging security events. The implementation by ACS is also hampered by their choice of format... basically each syslog packet comprises a single line of log data of the form "attr=value, attr=value, ... " so there is a lot of bloat in carrying the attribute names. Its unlikely that complex ACS deployments will be able to log all the required attributes in a single syslog packet (1024 characters max in ACS 4.1). The View user guide does include the odd explanation that is ok to receive partial data because the rest will get picked up at a later date (presumably by importing the ACS cab file). Yikes - creating a cab requires you stop (or at least pause) the ACS services AND importing the same data twice could lead to duplicate rows.
So it uses syslog (unreliable, non-ack'd, un-encrypted) to send partial (1024 characters we guess) log entries using a bloated ascii format that buries attributes names in the data. That could add up to a whole load more WAN traffic if your ACSs are distributed.
extraxi aaa-reports! on the other hand uses the tried and tested bulk download over http(s) using our csvsync client to download logs. The benefit here being that ACS just does what it does best - log locally then csvsync/aaa-reports! download the logs in bulk (and with encryption) at a time of your choosing.
Being appliance only there is no trial version so you cant test it before buying. It really only works with 4.1(4) but needs 4.2(1) to work well - so if you currently still have some 3.x servers in production you're out of luck. extraxi aaa-reports! works with all versions from 2.x through to 4.x and can be installed on anything from Windows XP to Server 2003 Terminal Server running inside VMWare.
On the topic of database size, View is based on Sybase SQL Anywhere which has a fixed 4GB of storage. aaa-reports! enterprise (due for release end of May 2008) uses multiple SQL Server Express databases offering a total of 48GB.
More as it arrives...
Thursday, 15 May 2008
- Use "Add/Remove Programs" in Control Panel to launch the application installer rather than just double-click the setup.exe, or
- From the command line type "change user /install" before running the setup.
Either of one of these will put the server into install mode and will ensure that installed components and registry changes are made for all users.
Failure to do one of the above will result in the application not functioning correctly for other users because DLLs will not be installed into the global Windows\System32 folder but instead into your own personnal folder under Documents and Settings.
We recommend using the Add/Remove Programs method as is by far the simplest and future proofed.
Thursday, 1 May 2008
In testing now is the next version of csvsync with exactly this feature. You can connect to the following versions of ACS to collect the cab file:
Appliance v4.0(1) onwards
Software v4.1(4) onwards
Prior to v4.1(4) the Support page was not available via ACS Admin Software version.
Beta expected the next couple of weeks.