Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎06-14-2016

Tacacs command logging from devices to clearpass to Qradar via export filter

[ Edited ]

Having an issue getting commands from say a cisco router to be exported to an IBM Qradar server.  We get a syslog entry with the username remote address timestamps and a bunch of other stuff, but were missing.

 

The command typed

Device they actually logged into not their PC address.

 

I have tacacs.command set in the export filter, but not sure if that's really getting me what we want.

 

Router has the standard accounting profiles start stop, for 0, 1, and 15 priv levels.

 

We know the messages are getting there as they're timestamped when I do something like show run.  Just dont see the actual command or device it was from. 

MVP
Posts: 744
Registered: ‎04-13-2009

Re: Tacacs command logging from devices to syslog destination

Hi,

Are there any Aruba/HPE devices involved here?

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II
Posts: 11
Registered: ‎06-14-2016

Re: Tacacs command logging from devices to syslog destination

Yeah sorry Clearpass is what's receiving the logs, the export filters refuse to export the commands and device.  Get everything else.

MVP
Posts: 744
Registered: ‎04-13-2009

Re: Tacacs command logging from devices to syslog destination

Hi,

 

Gotcha. I blogged about this as I had a very similar situation.. Check it out here. </shamless plug> It should help in setting up an export filter so you can see the commands and details you need.

 

 

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: