01-19-2009 06:32 AM - edited 03-10-2019 04:17 PM
ACS doesn't log the command into the csv file.
I have verified that device sends the acct message, the tacacs service (in full log mode) reports the message but there isn't an entry into the csv TACACS+ Admin.
Thanks.
Andrea
01-19-2009 07:14 AM
If you look in the ACS Admin under Logging do you have T+ Admin csv logging enabled? Should be on by default but you never know.
So long as the accounting packet has a "cmd" attribute ACS will direct the log entry to the T+ Admin csv rather than the T+ Accounting.
Maybe worth checking the packet.
Is the CSLog service running ok - are other CSVs getting written to?
01-19-2009 07:32 AM
TACACS+ Administration logginig is enabled.
This is the service log with the cmd attribute.
TCS 19/01/2009 09:20:16 I 0043 1196 <<< RECEIVED FROM CLIENT:sw-core11 TYPE=ACCT, SEQ=1, FLAGS=1
TCS 19/01/2009 09:20:16 I 0043 1196 SESSIONID -424833774 (0xe6ad8d12), DATALEN 130 (0x82)
TCS 19/01/2009 09:20:16 I 0043 1196 ACCT, flags=0x4 method=6 priv_lvl=15
TCS 19/01/2009 09:20:16 I 0043 1196 type=1 svc=1
TCS 19/01/2009 09:20:16 I 0043 1196 user_len=7 port_len=4 rem_addr_len=10
TCS 19/01/2009 09:20:16 I 0043 1196 arg_cnt=6
TCS 19/01/2009 09:20:16 I 0043 1196 USER=ameconi
TCS 19/01/2009 09:20:16 I 0043 1196 PORT=tty1
TCS 19/01/2009 09:20:16 I 0043 1196 REM_ADDR=10.4.42.63
TCS 19/01/2009 09:20:16 I 0043 1196 arg[0](size=12)=task_id=2598
TCS 19/01/2009 09:20:16 I 0043 1196 arg[1](size=21)=start_time=1232353216
TCS 19/01/2009 09:20:16 I 0043 1196 arg[2](size=12)=timezone=MET
TCS 19/01/2009 09:20:16 I 0043 1196 arg[3](size=13)=service=shell
TCS 19/01/2009 09:20:16 I 0043 1196 arg[4](size=11)=priv-lvl=15
TCS 19/01/2009 09:20:16 I 0043 1196 arg[5](size=25)=cmd=terminal monitor
TCS 19/01/2009 09:20:16 I 0043 1196 END >>>
TCS 19/01/2009 09:20:16 I 0688 701436 Single Connect thread 1 allocated work
TCS 19/01/2009 09:20:16 I 0043 701436 <<< PACKET TO CLIENT:sw-core11 TYPE:ACCT, SEQ 2, FLAGS 1
TCS 19/01/2009 09:20:16 I 0043 701436 SESSIONID -424833774 (0xe6ad8d12), DATALEN 5 (0x5)
TCS 19/01/2009 09:20:16 I 0043 701436 ACCT/REPLY status=1
TCS 19/01/2009 09:20:16 I 0043 701436 msg_len=0 data_len=0
TCS 19/01/2009 09:20:16 I 0043 701436 End >>>
All logs seems to be ok!
Thanks for your help.
Andrea
01-19-2009 12:44 PM
OK, whats in the CSLog service log for the same period?
If there is no error there Im at a loss to explain it since ACS CSV logging is rock solid.
01-19-2009 11:08 PM
From CSLog, only two entries.
CSLog 19/01/2009 09:20:16 U 5111 701584 Handling message at 0x038D2FF8 (454 bytes)
CSLog 19/01/2009 09:20:16 A 0000 702464 Logger CSV TACACS+ Accounting: filter denies logging
I'm going to apply a patch for bug CSCsg97429.
Regards.
01-20-2009 03:04 AM
The cslog trace actually looks kind of normal. The cmd accounting packet was offered to the T+ accounting log target which filtered it.
If it had been the T+ Admin logger issuing the message that *would* have been a problem!
Lets hope your patch does indeed work :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: