Welcome to the extraxi blog...

If you found this page accidentally and don't know what extraxi is about... we specialise in reporting solutions for the Cisco Secure ACS and Funk SBR access control servers (aka AAA servers).

The servers are predominantly used to secure network services such as dial, wireless lan, vpn, firewall and network device management.

Typically these servers just chuck out MBs of raw CSV log data about network activity. What we do is to help collect this data then import and turn it into useable information.

Tuesday, 25 December 2007

Merry Christmas!

To any and all who celebrate this time of year....

... and especially our customers

Have a great one!!

Thursday, 20 December 2007

aaa-reports! enterprise... sneak preview

Well we're almost there for the first beta of aaa-reports! enterprise. The screenshots below show off our refreshed UI (ok.. about time!)

This is a major step forward for aaa-reports! with an all new back end based on SQL Server Express giving us a total of 32GB of storage. Of course we're keeping the multi-DB feature so you actually get n*32GB !!

For our biggest customers there is also the option to swap out Express with full blown SQL Server.

Switching to SQL Server enables a whole wealth of server-sided filtering that wasnt possible before. As a result all of the canned reports can now be filtered on one or more attributes, eg Network Device Group, Group etc allowing you to make them as general or specific as you wish. The reports also appear much faster as the datasets are created in SQL Server.

Oh and the query builder has undergone a major overhaul to allow column ordering to be saved, column renaming and even free form SQL statement entry for very advanced users.

Thursday, 29 November 2007

Negative values in canned reports

This week we had some reports of very large negative values in our canned reports - in particular the device utilisation reports.

After some delving it turned out to be the customers PIX sending garbage values in the TACACS+ "elapsed time" attribute.

The customer is now following this up with Cisco.

Saturday, 24 November 2007

aaa-reports! "Software as a service"

For those of you out there that don't want the hassle or expense of managing yet another Windows server but still want to benefit from extraxi's reporting expertise...
We are developing a virtually hosted subscription based offering with our partner 1&1 Internet Ltd. For a fraction of the TCO of a real Windows server we will offer a choice of shared virtual server or dedicated server - both running industry standard Windows Server 2003. 1&1 are one of Europe's largest ISPs and offer state of the art hosting facilities with unparalleled uptime.
The solution comprises extraxi csvsync for collecting logs from all your ACS servers, a secure FTP client for pushing logs onto the hosted server. You  then have FULL terminal service access to the server with a pre-installed copy of aaa-reports! with automation.
Report PDFs are published to an IIS web folder where your authenticated users can download directly over secure https.
For more information please contact us 

Monday, 5 November 2007

Online Quote & Ordering Page

You can get quotes and submit orders online at


Extraxi Licensing FAQ

When you want to order copies of any extraxi product there are several factors that decide the cost:
  • Number of AAA servers you wish to report against
  • Number of installed copies you wish to purchase
  • Maintenance & support requirements

Its a common mistake to assume if you have 2 AAA servers you need 2 copies of say aaa-reports! as well - you don't. A single copy of aaa-reports! can import logs from 10's of servers.

You only need multiple copies if you want to install on multiple PCs - for example if you wanted a copy in two locations.

Saturday, 3 November 2007

aaa-reports! v2.2.1 released

aaa-reports! v2.2.1 is now available in our downloads area via  the trial request page.

For details about features see the previous post.

Thursday, 18 October 2007

Scripting Automation and MS Office

Here's one that can trip you up.

If you create a specific Windows user account for running aaa-reports! automation (most people do) and you have retail MS Office installed on the same PC.... you'll need to login as this user and start an Office app (eg Word) at least ONCE. When you do this Office will spot its a new user and prompt you to confirm your name an initials.

Now, when aaa-reports! automation kicks in Office will not throw a spanner in the works by asking for user details.

Otherwise an unattended session is left waiting for user input and you'll think aaa-reports! is broken. Thank you Microsoft!

Wednesday, 17 October 2007

aaa-reports! v2.2.1

v2.2.1 will be posted onto the download page in the next week or so. This release has some significant new features and as usual is available free for customers with support contracts.

Enhancements include
  1. Multi-Database feature enhanced to allow database “cloning”. Cloning allows the creation of a new database by copying any existing database and provides a simple mechanism to quickly create pre-configured blank databases or copy existing populated databases for diagnostic work or as point-in-time snapshots.
  2. User List import (for inactive user reports). It is now possible to populate the User List from an ACS Dump/CAB File. Where users have access to the Dump/CAB file this can be imported instead of creating and importing a separate CSV file with User List data.
  3. New Data Purge facility with much improved filtering and selection options to make it easier to identify and purge specific log data.
  4. Improved processing of ACS logs to find and handle known problematic issues with log content.
  5. Support for very long filenames (previously 64 characters) to offer more flexibility when processing logs with CSVsync and/or CSVsplit and adding descriptive suffixes and AAA Server names to create meaningful filenames.
  6. Recognition of logs with underscores in place of spaces in their filenames. Some systems appear to automatically insert underscores into filenames when downloading logs from ACS, e.g. “Administration Audit 2007-10-10.csv” becomes “Administration_Audit_2007-10-10.csv”. Previously filenames with underscores were not recognised as valid log files.
  7. Improved detection and warning when importing logs that have a different date format to the MDY or DMY setting in Options. Specifying the wrong date format will result in log dates being misinterpreted and have adverse affects on the integrity of reports.
    Extended handling of common issues with log content that can otherwise prevent logs being parsed correctly.
  8. Improved regional support for the Log Import process running in Locales where the comma character “ , ‘” is not used as the Field Separator character. Users in most affected regions no longer have to change to a compatible locale prior to importing log files.

Tuesday, 16 October 2007

Support for ACS Express v5

We are curently working with Cisco to add support for ACS v5.0 to aaa-reports!

A version of aaa-reports! with ACS v5.0 support is planned to coincide with the full feature version of ACS shipping in late 2008.

Friday, 12 October 2007

What Can Extraxi Get From The ACS Database?

aaa-reports! support for importing (and reporting against) data from the Cisco ACS database has grown over time. In v1.x we could import users and group assignments from a CSV file.

In v2.0 we added the csutil "dump.txt" and also included account expiry, password aging, user defined fields (eg Real Name, Description etc) and a whole lot more.

In v2.1 we started to look at TACACS+ Device Admin (TDA) policy to pull in Shared Device Command Sets (DCS) for Shell and PIX, IP based Network Access Restrictions (Group & Shared), Network Device Group (NDG) memberships. Finally aaa-reports! is able to look into each ACS group to pull in the Shell & PIX service authorizations:
  • Service enabled (y/n)
  • Service attributes (returned after authentication)
  • Group level access restrictions
  • Shared access restrictions
  • Group level shell/pix command authorisations
  • Shared shell/pix command authorisations (via NDG->DCS mappings)

With all this data imported we can offer reports to both document the config (eg our group/user detail report that has layout similar to the ACS UI) and explore the config (eg who has access to what devices AND what commands can they execute. Also, the Query Builder can see the same data too - so you can create custom reports about the users in the ACS db too!

Cool huh?

Of course, the next question is how to get the data OUT of ACS and then IN to aaa-reports!

If you have ACS v4.x on either software or appliances its easy. You just create a support "package.cab" using either the command line cssupport.exe (s/w version) or the Support admin page (appliance version). Make sure you tick the check boxes to include the user & group db + config.

If you have ACS v3.x then unfortunately the appliance is not supported. On the s/w version we have a script you can download to suck the data out - available on our download page.

Once you have a .cab file (from either of the methods above) you just click on Import ACS Database on the aaa-reports Import page.

Thursday, 11 October 2007

Minimum Server Spec for aaa-reports!

Virtually any new server PC/blade will be powerful enough to run aaa-reports! Afterall because of Moore's Law server specs have gone up considerably since our v1.0 release.

Here is Microsoft's guide to the hardware requirements for Server 2003. The R2 datacenter reqs probably make the most sense.

BTW the same goes for csvsync and csvsplit too.

aaa-reports! on the ACS server?

A lot of poeple will ask if its ok to install aaa-reports! on the same server as ACS is installed on.

The answer is you can... but we dont recommend it. The reasons being:
  • aaa-reports! will greedily try to use all available CPU while importing and running reports, so depending on the amount of data this could represent quite heavy usage for minutes at a time. This could in turn affect the performance of your ACS server.
  • The ACS services have active csv's (ie the files it is currently writing to) locked. So the aaa-reports! move-on-import feature will not work and you might get incomplete rows imported.

Best practice is to roll out a dedicated server (or VM) with plenty of hard drive space and make it the "reporting server" and the log repository.

Date Format Woes (updated)

One thing to check BEFORE importing any CSV files into aaa-reports! is that you configure the date format options to match your ACS server.

That is either DMY or MDY

If these do not match aaa-reports! will still import your logs, but it will get the day and month mixed up. For example, data from July 10th will appear to be from November 7th. Worse still, is that any rows dated after the 12th day of the month will look invalid (ie the month will look greater than 12) and be dropped.

Also, if you change the date format in ACS, it will not roll the active logs. Great - you end up with both formats in a single log. This is enough to confuse any database batch import (or even ODBC insert) process.

We'll look at actually rejecting logs completely if it looks like the date format is wrong - probably in v2.2.1 - in fact several additional checks are being added:
  • The date of the first row MUST be later than the date stamp in the csv filename
  • The day/month should not appear to reverse from one row to another

Tuesday, 2 October 2007

extraxi Software On Linux

We know some organisations try to run Windows apps on Linux using emulators such as Wine.

To our knowledge aaa-reports! has not been tried.
csvsplit should work no problem as its a command line program.
csvsync v1.0 was known to work, but v2.0 changed winsock libraries which revealed a bug in (the then current version of) Wine.

At present we have no plans to officially test or support this. However, if you tried it please let us know!

Monday, 1 October 2007

System Locale Issues

If you're in the USA... you can skip this item ;)

For everyone else, particularly those in Europe its important to note that some locales do not use the comma as the seperator inside a CSV file. OK, this is a bit wacky as the C in CSV stands for Comma, but there you go!

CSVs produced by Cisco Secure ACS are hard coded to use comma's. aaa-reports! uses ODBC to import logs and this uses the system locale to know how they are delimetered.. hence the problem.

If your locale setting says the delimeter is a semi-colon ODBC will complain when it sees comma's. The workaround is to set your locale to USA or other county that uses the comma.

We are actively looking for a better solution and hope to fix this issue in aaa-reports! v2.2.1

Friday, 14 September 2007

Getting More Data Into aaa-reports!

Sooner or later the aaa-reports! database will fill up. If you have automation, old data will automagically be purged to make space for new logs resulting in a "reporting window" whose size depends on the amount of data imported every day. The more you import the smaller the window.

To make the window as large as possible there are some tricks you can try:

  • Filter out junk data. In many TACACS+ Admin logs up to 90% of rows can be full of scripted commands from (amongst others) CiscoWorks. By setting up a pre-filter (Options/Import Options/Pre-Filter) you can filter out rows containing strings such as "Scripts", "ping" or "show". This can drastically increase the reporting window as matching rows are simply discarded during import.
  • Use Multi-DB (new in v2.2). Depending on your deployment it may be possible to split your data and import each dataset into its own aaa-reports! backend database (or multi-db). For example, you have 2 ACS servers - one handling VPN and the other Device Admin. This is a prime candiate for 2 multi-dbs. Multi-Db can be enabled via the Options page.

The next major release, aaa-reports! enterprise edition, will feature an entirely new backend database engine with approximately 32GB of storage. Combined with Multi-DB and that's a HUGE potential.

Wednesday, 5 September 2007

aaa-reports! and VMWare

We get asked this all the time... "Does aaa-reports! work inside a VM?"

Yes it does!

Saturday, 1 September 2007

A Collection of Useful Docs

All of these should have links on extraxi.com but just in case, here's a list of links to various docs:

aaa-reports! automation tutorial - all about the automation module and how to use it.
aaa-reports! deployment guide - the do's and dont's about installing aaa-reports!
aaa-reports! tacacs+ device admin white paper - reporting for device admin
aaa-reports! sales justification - what extraxi s/w can do and why you should buy it!
aaa-reports! datasheet - spec sheet