Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.1 for Windows, command accounting.

ACS doesn't log the command into the csv file.

I have verified that device sends the acct message, the tacacs service (in full log mode) reports the message but there isn't an entry into the csv TACACS+ Admin.

Thanks.

Andrea

5 REPLIES
Silver

Re: ACS 4.1 for Windows, command accounting.

If you look in the ACS Admin under Logging do you have T+ Admin csv logging enabled? Should be on by default but you never know.

So long as the accounting packet has a "cmd" attribute ACS will direct the log entry to the T+ Admin csv rather than the T+ Accounting.

Maybe worth checking the packet.

Is the CSLog service running ok - are other CSVs getting written to?

New Member

Re: ACS 4.1 for Windows, command accounting.

TACACS+ Administration logginig is enabled.

This is the service log with the cmd attribute.

TCS 19/01/2009 09:20:16 I 0043 1196 <<< RECEIVED FROM CLIENT:sw-core11 TYPE=ACCT, SEQ=1, FLAGS=1

TCS 19/01/2009 09:20:16 I 0043 1196 SESSIONID -424833774 (0xe6ad8d12), DATALEN 130 (0x82)

TCS 19/01/2009 09:20:16 I 0043 1196 ACCT, flags=0x4 method=6 priv_lvl=15

TCS 19/01/2009 09:20:16 I 0043 1196 type=1 svc=1

TCS 19/01/2009 09:20:16 I 0043 1196 user_len=7 port_len=4 rem_addr_len=10

TCS 19/01/2009 09:20:16 I 0043 1196 arg_cnt=6

TCS 19/01/2009 09:20:16 I 0043 1196 USER=ameconi

TCS 19/01/2009 09:20:16 I 0043 1196 PORT=tty1

TCS 19/01/2009 09:20:16 I 0043 1196 REM_ADDR=10.4.42.63

TCS 19/01/2009 09:20:16 I 0043 1196 arg[0](size=12)=task_id=2598

TCS 19/01/2009 09:20:16 I 0043 1196 arg[1](size=21)=start_time=1232353216

TCS 19/01/2009 09:20:16 I 0043 1196 arg[2](size=12)=timezone=MET

TCS 19/01/2009 09:20:16 I 0043 1196 arg[3](size=13)=service=shell

TCS 19/01/2009 09:20:16 I 0043 1196 arg[4](size=11)=priv-lvl=15

TCS 19/01/2009 09:20:16 I 0043 1196 arg[5](size=25)=cmd=terminal monitor

TCS 19/01/2009 09:20:16 I 0043 1196 END >>>

TCS 19/01/2009 09:20:16 I 0688 701436 Single Connect thread 1 allocated work

TCS 19/01/2009 09:20:16 I 0043 701436 <<< PACKET TO CLIENT:sw-core11 TYPE:ACCT, SEQ 2, FLAGS 1

TCS 19/01/2009 09:20:16 I 0043 701436 SESSIONID -424833774 (0xe6ad8d12), DATALEN 5 (0x5)

TCS 19/01/2009 09:20:16 I 0043 701436 ACCT/REPLY status=1

TCS 19/01/2009 09:20:16 I 0043 701436 msg_len=0 data_len=0

TCS 19/01/2009 09:20:16 I 0043 701436 End >>>

All logs seems to be ok!

Thanks for your help.

Andrea

Silver

Re: ACS 4.1 for Windows, command accounting.

OK, whats in the CSLog service log for the same period?

If there is no error there Im at a loss to explain it since ACS CSV logging is rock solid.

New Member

Re: ACS 4.1 for Windows, command accounting.

From CSLog, only two entries.

CSLog 19/01/2009 09:20:16 U 5111 701584 Handling message at 0x038D2FF8 (454 bytes)

CSLog 19/01/2009 09:20:16 A 0000 702464 Logger CSV TACACS+ Accounting: filter denies logging

I'm going to apply a patch for bug CSCsg97429.

Regards.

Silver

Re: ACS 4.1 for Windows, command accounting.

The cslog trace actually looks kind of normal. The cmd accounting packet was offered to the T+ accounting log target which filtered it.

If it had been the T+ Admin logger issuing the message that *would* have been a problem!

Lets hope your patch does indeed work :)

147
Views
4
Helpful
5
Replies
CreatePlease to create content