Having an issue getting commands from say a cisco router to be exported to an IBM Qradar server. We get a syslog entry with the username remote address timestamps and a bunch of other stuff, but were missing.
The command typed
Device they actually logged into not their PC address.
I have tacacs.command set in the export filter, but not sure if that's really getting me what we want.
Router has the standard accounting profiles start stop, for 0, 1, and 15 priv levels.
We know the messages are getting there as they're timestamped when I do something like show run. Just dont see the actual command or device it was from.