Showing results for 
Search instead for 
Did you mean: 

ISE TACACS Syslog attributes explanation

Cisco Employee
Cisco Employee

Greetings experts,

I am working with a customer where they are using ISE for TACACS (ISE 2.4) and sending TACACS Syslog to an external Syslog server. The customer would like to get some official doc or something from Cisco about these TACACS Syslog messages


DestinationIPAddress----------(This IP address is TACACS server, however, external Syslog server vendor interprets this field  differently)

Remote-Address------------(The IP of endpoint and tried to log in to a switch/routers for TACACS authentication)

Device IP Address----------(This IP is of NAD i.e TACACS client)


Raw log data sent by ISE TACACS

Description of what the data is

Confusion in Naming

Device IP Address = 192.168.x.x

The device being impacted, the device that sent the log in the first place, the destination of the logon/attack

DESTINATION HOST – need this clearly stated somewhere by Cisco

DestinationIPAddress = 10.1.x.x

The log forwarder, the “management station”, this is the ISE Server

Why is the word “Destination” used when this is the management station/ISE

Remote-Address = 192.168.x.x

The host from which the logon was attempted, the actual attacker

SOURCE HOST – the host where the logon came from, not a “remote address”


The difference how ISE looks remote-address is different what the customer Syslog server wanted to expect, hence we need some explanation on these parameters.

I found this link but this does not have an explanation




Any help on this would be much appreciated.

1 Reply 1

If you look at the RFCs related to TACACS you will actually find that the remote address is not a reliable field. For example, an F5 I worked with didn't send it.
"The rem_addr is a "best effort" description of the remote location from which the user has connected to the client. In many cases, the remote address will not be available or will be unreliable at best, but it may be useful when included."
"A printable US-ASCII string indicating the remote location from which the user has connected to the client. It is intended to hold a network address if the user is connected via a network, a caller ID is the user is connected via ISDN or a POTS, or any other remote location information that is available. This field is optional (since the information may not be available). The rem_addr_len indicates the length of the user field, in bytes."
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: