Recording – Cisco 3.3 User Manual

Appendix G Internal Architecture

CSMon

G-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

build up a “picture” of expected response time on the system in question.
CSMon can therefore detect whether excess re-tries are required for each
authentication or if response times for a single authentication exceed a
percentage threshold over the average.

•

System resource consumption by Cisco Secure ACS—CSMon periodically
monitors and records the usage by Cisco Secure ACS of a small set of key
system resources and compares it against predetermined thresholds for
indications of atypical behavior. The parameters monitored include the
following:

–

Handle counts

–

Memory utilization

–

Processor utilization

–

Thread used

–

Failed log-on attempts

CSMon cooperates with CSAuth to keep track of user accounts being disabled by
exceeding their failed attempts count maximum. This feature is more oriented to
security and user support than to system viability. If configured, it provides
immediate warning of “brute force” attacks by alerting the administrator to a large
number of accounts becoming disabled. In addition, it helps support technicians
anticipate problems with individual users gaining access.

Recording

CSMon records exception events in logs that you can use to diagnose problems.

•

CSMon Log—Like the other Cisco Secure ACS services, CSMon maintains
a CSV log of its own for diagnostic recording and error logging. Because this
logging consumes relatively small amounts of resources, CSMon logging
cannot be disabled.

•

Windows Event Log—CSMon can log messages to the Windows Event Log.
Logging to the Windows Event Log is enabled by default but can be disabled.