cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2136
Views
0
Helpful
5
Replies

ACS 5.x not collecting ACE accounting log

lorddroon
Level 1
Level 1

anyone having this issue?  ACE is configured to point accounting to ACS servers but ACS servers are not seeing all the accounting logs.  I can only see accounting logs from ACE for watchdog, start and stop.

5 Replies 5

Nicolas Darchis
Cisco Employee
Cisco Employee

The question is : is ACE sending accounting for what you want ? and is ACS receiving/displaying ?

I would suggest to first analyze if the ACE is sending accounting packets for situations you want (which is not clear for me). sniffer trace is a good way to do that.

A little background.  I'm currently planning Tacacs endpoint migration from ACS 3.x to ACS5.x  Currently, ACE is sending out accounting messages (with all commands entered by user during a session) back to the ACS 3.x system (I see them on ACS 3.x logs).  When I test the same ACE device on ACS 5.x, no accounting messages (all commands entered by user during a session) is showing up on ACS 3.x logs.  I'm certain that ACE is configured to send all accounting logs to ACS as I only repointed it to the new ACS IP addresses (both ACS has the same tacacs keys).

Just looked into the syslog message structure that is being send from the ACE I'm currently testing and notice the following differences in accounting message sent by different ACE software versions.

ACE software A1(6.1), accounting messages shows the following (currently no seeing user command message in ACS);

Thu Aug 25 08:08:17 2011:start:/dev/pts/1_1314259697:testuser1:

Thu Aug 25 08:08:18 2011:update:/dev/pts/1_1314259697:testuser1:0:changeto vlbdcmc10

Thu Aug 25 08:08:35 2011:stop:/dev/pts/1_1314259697:testuser1:shell terminated

Thu Aug 25 08:09:40 2011:start:/dev/pts/1_1314259780:testuser1:

Thu Aug 25 08:09:42 2011:update:/dev/pts/1_1314259780:testuser1:0:show version

Thu Aug 25 08:09:43 2011:update:/dev/pts/1_1314259780:testuser1:0:show hardware

Thu Aug 25 08:09:45 2011:start:/dev/pts/3_1314259785:testuser1:

ACE software A2(1.6a) or A2(1.5a), accounting messages shows the following (seeing user command messages in ACS 3.x);

Tue Aug 23 04:01:51 2011:start:/dev/pts/3_1314072111:testuser:

Tue Aug 23 04:01:53 2011:stop:/dev/pts/3_1314072111:testuser:0:changeto vlbdcmc18

Tue Aug 23 04:02:10 2011:stop:/dev/pts/3_1314072111:testuser:shell terminated

Tue Aug 23 04:32:29 2011:start:/dev/pts/3_1314073949:testuser:

Tue Aug 23 04:32:30 2011:stop:/dev/pts/3_1314073949:testuser:0:show version

Tue Aug 23 04:32:31 2011:stop:/dev/pts/3_1314073949:testuser:0:show arp

Tue Aug 23 04:32:33 2011:stop:/dev/pts/3_1314073949:testuser:0:show interface

Tue Aug 23 04:32:35 2011:stop:/dev/pts/3_1314073949:testuser:shell terminated
Tue Aug 23 04:01:51 2011:start:/dev/pts/3_1314072111:testuser:

the older ACE version send user commands via update accounting log message catagory while the new versions sent it via stop accounting log message catagory.

Also, Under ACS 5.x - log message catalog, I only see the following tacacs+ accounting messages catagory listed (notice there are no update catagory messages);

Code Severity Message Text                       Description
3300  NOTICE  Accounting with Command      Received TACACS+ request containing command
3301  NOTICE  Accounting START                  Received a TACACS+ START request
3302  NOTICE  Accounting STOP                   Received a TACACS+ STOP request
3303  NOTICE  Accounting WATCHDOG         Received a TACACS+ WATCHDOG request
3304  NOTICE  Accounting request rejected     Received a TACACS+ request but been rejected

my question are;

1) which is the correct accounting category ACE should be sending user commands?

2) If update is the correct way, is ACS 5.x able to recognize and record accounting update messages from ACE?

Do I understand correctly that you are saying that ACS doesn't display the SYSLOG messages sent by the ACE ?

Because you mentionned accounting, so I thought you meant radius accounting ...

The ACS only supports a very precise subset of syslog messages, so if the ACE changed the syslog, probably that's the problem

No, not syslog messages.  Tacacs+ accounting messages which should be recorded by ACS.  They are send via Tacacs+ protocol, not syslog.