Security

 View Only

  • 1.  Output TACACS Accounting logs

    Posted Feb 22, 2019 04:17 PM

    I am able to export login details about tacacs, but I don't see a way to ship accounting details. 

    I noticed there is a tacacs.command option in syslog export filters, but this only sends "shell exec" for devices, and not the actual accounting details. I don't see a specific section for accounting details in filters. Do I need to make a custom SQL query to get this data shipped? 




  • 2.  RE: Output TACACS Accounting logs
    Best Answer

    Posted Feb 26, 2019 12:10 PM

    I took the silence to mean it's not possible with predefined sets. Which seems odd to me that Aruba wouldn't expect you to want to export your Accounting data.

    I managed to gather this data by using the following SQL Query

    SELECT Records.nas_ip AS host_ip,
    Records.user_name,
    Records.remote_address AS user_ip,
    Details.attr_value,
    Details.timestamp
FROM tips_tacacs_accounting_details AS Details
JOIN tips_tacacs_accounting_records AS Records 
ON Details.session_id = Records.id 
WHERE Details.attr_name = 'cmd'
    AND Records.timestamp >= --START-TIME--
    AND Records.timestamp <= --END-TIME--

    I would be interested in hearing if there are any other, better, ways to do this. 



Related Content