Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
4
Helpful
5
Replies

ACS 4.1 for Windows, command accounting.

andrea.meconi
Level 2
Level 2

‎01-19-2009 06:32 AM - edited ‎03-10-2019 04:17 PM

ACS doesn't log the command into the csv file.

I have verified that device sends the acct message, the tacacs service (in full log mode) reports the message but there isn't an entry into the csv TACACS+ Admin.

Thanks.

Andrea

Labels:
0 Helpful
5 Replies 5

darpotter
Level 5
Level 5

‎01-19-2009 07:14 AM

If you look in the ACS Admin under Logging do you have T+ Admin csv logging enabled? Should be on by default but you never know.

So long as the accounting packet has a "cmd" attribute ACS will direct the log entry to the T+ Admin csv rather than the T+ Accounting.

Maybe worth checking the packet.

Is the CSLog service running ok - are other CSVs getting written to?

0 Helpful

andrea.meconi
Level 2
Level 2
In response to darpotter

‎01-19-2009 07:32 AM

TACACS+ Administration logginig is enabled.

This is the service log with the cmd attribute.

TCS 19/01/2009 09:20:16 I 0043 1196 <<< RECEIVED FROM CLIENT:sw-core11 TYPE=ACCT, SEQ=1, FLAGS=1

TCS 19/01/2009 09:20:16 I 0043 1196 SESSIONID -424833774 (0xe6ad8d12), DATALEN 130 (0x82)

TCS 19/01/2009 09:20:16 I 0043 1196 ACCT, flags=0x4 method=6 priv_lvl=15

TCS 19/01/2009 09:20:16 I 0043 1196 type=1 svc=1

TCS 19/01/2009 09:20:16 I 0043 1196 user_len=7 port_len=4 rem_addr_len=10

TCS 19/01/2009 09:20:16 I 0043 1196 arg_cnt=6

TCS 19/01/2009 09:20:16 I 0043 1196 USER=ameconi

TCS 19/01/2009 09:20:16 I 0043 1196 PORT=tty1

TCS 19/01/2009 09:20:16 I 0043 1196 REM_ADDR=10.4.42.63

TCS 19/01/2009 09:20:16 I 0043 1196 arg[0](size=12)=task_id=2598

TCS 19/01/2009 09:20:16 I 0043 1196 arg[1](size=21)=start_time=1232353216

TCS 19/01/2009 09:20:16 I 0043 1196 arg[2](size=12)=timezone=MET

TCS 19/01/2009 09:20:16 I 0043 1196 arg[3](size=13)=service=shell

TCS 19/01/2009 09:20:16 I 0043 1196 arg[4](size=11)=priv-lvl=15

TCS 19/01/2009 09:20:16 I 0043 1196 arg[5](size=25)=cmd=terminal monitor

TCS 19/01/2009 09:20:16 I 0043 1196 END >>>

TCS 19/01/2009 09:20:16 I 0688 701436 Single Connect thread 1 allocated work

TCS 19/01/2009 09:20:16 I 0043 701436 <<< PACKET TO CLIENT:sw-core11 TYPE:ACCT, SEQ 2, FLAGS 1

TCS 19/01/2009 09:20:16 I 0043 701436 SESSIONID -424833774 (0xe6ad8d12), DATALEN 5 (0x5)

TCS 19/01/2009 09:20:16 I 0043 701436 ACCT/REPLY status=1

TCS 19/01/2009 09:20:16 I 0043 701436 msg_len=0 data_len=0

TCS 19/01/2009 09:20:16 I 0043 701436 End >>>

All logs seems to be ok!

Thanks for your help.

Andrea

0 Helpful

darpotter
Level 5
Level 5
In response to andrea.meconi

‎01-19-2009 12:44 PM

OK, whats in the CSLog service log for the same period?

If there is no error there Im at a loss to explain it since ACS CSV logging is rock solid.

andrea.meconi
Level 2
Level 2
In response to darpotter

‎01-19-2009 11:08 PM

From CSLog, only two entries.

CSLog 19/01/2009 09:20:16 U 5111 701584 Handling message at 0x038D2FF8 (454 bytes)

CSLog 19/01/2009 09:20:16 A 0000 702464 Logger CSV TACACS+ Accounting: filter denies logging

I'm going to apply a patch for bug CSCsg97429.

Regards.

0 Helpful

darpotter
Level 5
Level 5
In response to andrea.meconi

‎01-20-2009 03:04 AM

The cslog trace actually looks kind of normal. The cmd accounting packet was offered to the T+ accounting log target which filtered it.

If it had been the T+ Admin logger issuing the message that *would* have been a problem!

Lets hope your patch does indeed work :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents