ACS 4.1 for Windows, command accounting.

Unanswered Question
darpotter Mon, 01/19/2009 - 07:14
User Badges:
  • Silver, 250 points or more

If you look in the ACS Admin under Logging do you have T+ Admin csv logging enabled? Should be on by default but you never know.


So long as the accounting packet has a "cmd" attribute ACS will direct the log entry to the T+ Admin csv rather than the T+ Accounting.


Maybe worth checking the packet.


Is the CSLog service running ok - are other CSVs getting written to?

TACACS+ Administration logginig is enabled.

This is the service log with the cmd attribute.


TCS 19/01/2009 09:20:16 I 0043 1196 <<< RECEIVED FROM CLIENT:sw-core11 TYPE=ACCT, SEQ=1, FLAGS=1

TCS 19/01/2009 09:20:16 I 0043 1196 SESSIONID -424833774 (0xe6ad8d12), DATALEN 130 (0x82)

TCS 19/01/2009 09:20:16 I 0043 1196 ACCT, flags=0x4 method=6 priv_lvl=15

TCS 19/01/2009 09:20:16 I 0043 1196 type=1 svc=1

TCS 19/01/2009 09:20:16 I 0043 1196 user_len=7 port_len=4 rem_addr_len=10

TCS 19/01/2009 09:20:16 I 0043 1196 arg_cnt=6

TCS 19/01/2009 09:20:16 I 0043 1196 USER=ameconi

TCS 19/01/2009 09:20:16 I 0043 1196 PORT=tty1

TCS 19/01/2009 09:20:16 I 0043 1196 REM_ADDR=10.4.42.63

TCS 19/01/2009 09:20:16 I 0043 1196 arg[0](size=12)=task_id=2598

TCS 19/01/2009 09:20:16 I 0043 1196 arg[1](size=21)=start_time=1232353216

TCS 19/01/2009 09:20:16 I 0043 1196 arg[2](size=12)=timezone=MET

TCS 19/01/2009 09:20:16 I 0043 1196 arg[3](size=13)=service=shell

TCS 19/01/2009 09:20:16 I 0043 1196 arg[4](size=11)=priv-lvl=15

TCS 19/01/2009 09:20:16 I 0043 1196 arg[5](size=25)=cmd=terminal monitor

TCS 19/01/2009 09:20:16 I 0043 1196 END >>>

TCS 19/01/2009 09:20:16 I 0688 701436 Single Connect thread 1 allocated work

TCS 19/01/2009 09:20:16 I 0043 701436 <<< PACKET TO CLIENT:sw-core11 TYPE:ACCT, SEQ 2, FLAGS 1

TCS 19/01/2009 09:20:16 I 0043 701436 SESSIONID -424833774 (0xe6ad8d12), DATALEN 5 (0x5)

TCS 19/01/2009 09:20:16 I 0043 701436 ACCT/REPLY status=1

TCS 19/01/2009 09:20:16 I 0043 701436 msg_len=0 data_len=0

TCS 19/01/2009 09:20:16 I 0043 701436 End >>>


All logs seems to be ok!


Thanks for your help.

Andrea

darpotter Mon, 01/19/2009 - 12:44
User Badges:
  • Silver, 250 points or more

OK, whats in the CSLog service log for the same period?


If there is no error there Im at a loss to explain it since ACS CSV logging is rock solid.

darpotter Tue, 01/20/2009 - 03:04
User Badges:
  • Silver, 250 points or more

The cslog trace actually looks kind of normal. The cmd accounting packet was offered to the T+ accounting log target which filtered it.


If it had been the T+ Admin logger issuing the message that *would* have been a problem!


Lets hope your patch does indeed work :)

Actions

This Discussion