Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here

[Updated] Custom Query to send TACACS Authorization commands executed on NAD’s to Syslog server

MVP
MVP
Requirement:

Some network environment its critical to document the command executed on the network devices along with user login details like Time, username etc etc.

 

 



Solution:

With devices doing the TACACS authentication against the ClearPass , we can collect those commands and send it to the external syslog’s server



Configuration:

 

Login to ClearPass Policy manager and navigate to Administration » External Servers » Syslog Targets and create a new syslog server.

 

Then navigate to  Administration » External Servers » Syslog Export Filters

 

Then Enter the details highlighted below and click on Next.

 

 

Scroll down below and Paste the Query in the box next to Custom SQL.

 

Query to be used as below,

 

select a.session_id, a.nas_ip, b.attr_value as command_ran,b.timestamp, c.user_name,c.request_status from tips_tacacs_accounting_records as a join tips_tacacs_accounting_details as b on a.id = b.session_id join tips_tacacs_session_log as c on a.session_id=c.user_session_id where (b.attr_name='cmd' or b.attr_name='cmd-arg') AND (b.timestamp >= --START-TIME--) AND (b.timestamp <= --END-TIME--);

 

 

Click on Next and save.



Verification

Testing.

 

The syslog data received on Syslog server :

 

date

Source Device

Device

Client

Severity

Facility

Category

Message

Type

6/5/2020 04:13 PM IST

pub_cppm_krish

-

-

Debug

local1 (17)

-

Jun 05 2020 04:13:30.199 IST 10.23.194.51 LEEF:1.0|Aruba Networks|ClearPass|6.9.1.130252|3065|messageId=80-1-0 session_id=T22f93752-30-5ec4694c nas_ip=10.23.194.21 command_ran= show running-config user_name=vikrams request_status=AUTHEN_STATUS_PASS src=10.23.194.51 devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z cat=Session Logs

Syslog

6/5/2020 04:13 PM IST

pub_cppm_krish

-

-

Debug

local1 (17)

-

Jun 05 2020 04:13:30.199 IST 10.23.194.51 LEEF:1.0|Aruba Networks|ClearPass|6.9.1.130252 | 3065|messageId=81-1-0 session_id=T22f93752-30-5ec4e94c nas_ip=10.23.194.21 command_ran= show running-configuser_name=vikrams request_status=AUTHEN_STATUS_PASS src=10.23.194.51 devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z cat=Session Logs

Syslog

 

Version history
Revision #:
2 of 2
Last update:
‎06-30-2020 07:10 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: