https://community.cisco.com/t5/network-access-control/tacacs-and-syslog-server/m-p/583070#M427244 <HTML><HEAD></HEAD><BODY><P>Hi Nathan</P><P></P><P>As usual its "horses for courses". If you are using a AAA server (such as ACS) to secure access to your routers - then the best practice is to log both session and command accounting to AAA also.</P><P></P><P>In that way the ACS server will be logging both succesful and failed login/command authorisation attempts AND the session/command accounting.</P><P></P><P>All this gets logged to standard CSV files for off-line processing in Excel or rather better... something like extraxi aaa-reports!</P><P></P><P>syslog, on the other hand, is a fire and forget, non standard and somewhat arcane method of logging. Being UDP its "fire and forget" and therefore not as reliable as TACACS+</P><P></P><P>SOX now effects most large co's and access to network infrastructure (&amp; hence audit of) is becoming vital.</P><P></P><P>Darran</P></BODY></HTML> Thu, 11 May 2006 20:23:40 GMT darpotter 2006-05-11T20:23:40Z https://community.cisco.com/t5/network-access-control/tacacs-and-syslog-server/m-p/583069#M427242 <P>Hi,</P><P>I was wondering about logging and aaa accounting.</P><P></P><P>I notice some networks will have a syslog server and a tacacs+ server with aaa accounting. Is it best practices on a security perspective to configure a router to use a syslog server and a tacacs+ server using aaa accounting?</P><P></P><P></P> Sun, 10 Mar 2019 21:34:58 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-syslog-server/m-p/583069#M427242 nathan 2019-03-10T21:34:58Z https://community.cisco.com/t5/network-access-control/tacacs-and-syslog-server/m-p/583070#M427244 <HTML><HEAD></HEAD><BODY><P>Hi Nathan</P><P></P><P>As usual its "horses for courses". If you are using a AAA server (such as ACS) to secure access to your routers - then the best practice is to log both session and command accounting to AAA also.</P><P></P><P>In that way the ACS server will be logging both succesful and failed login/command authorisation attempts AND the session/command accounting.</P><P></P><P>All this gets logged to standard CSV files for off-line processing in Excel or rather better... something like extraxi aaa-reports!</P><P></P><P>syslog, on the other hand, is a fire and forget, non standard and somewhat arcane method of logging. Being UDP its "fire and forget" and therefore not as reliable as TACACS+</P><P></P><P>SOX now effects most large co's and access to network infrastructure (&amp; hence audit of) is becoming vital.</P><P></P><P>Darran</P></BODY></HTML> Thu, 11 May 2006 20:23:40 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-syslog-server/m-p/583070#M427244 darpotter 2006-05-11T20:23:40Z