cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5206
Views
15
Helpful
6
Replies

TACACS accounting log

Patrick McHenry
Level 4
Level 4

Hi,

           

I configured our switches and routers to send the accounting records to the ACS. We like this as you can see who made what changes to the device but, the ACS server is only keeping the records for one day. Where can I change the setting to increase this? I would like it to go back a year if possible.

Also, is the ACS server the right device to be holding this info?

Thank you.

1 Accepted Solution

Accepted Solutions

Patrick,

just to be sure, we are talking about ACS 5.x?

If yes, you need to go to ACS View, and to go there you need to click on [Monitoring and Reports > Launch Monitoring & Report Viewer], after that you will be redirected to the ACS View (which is the same server or one from the distributed deployment). Next you should go to [Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup].

I hope that helps.

Thanks,

Pawel

View solution in original post

6 Replies 6

Pawel Cecot
Cisco Employee
Cisco Employee

Hi Patrick,

In the ACS View Reports (Monitoring & Reports >     Reports >     Catalog >     AAA Protocol) you can select the

radio button and by selecting 'Run' on the bottom run a specific query. Without that by default you will see only a report from one day.

For the 2nd question, yes the ACS View is designed to store that information, however if needed you can send the logs to an external syslog server or perfrom regular backups of the ACS View database.

Kind regards,

Pawel

I did what you mentioned and changed the report to custom and put a year. It came back with a couple of days, that is when I configured accounting on the gear - so, that makes sense.

Is there a limit to how many records this will hold?

I would like to hold atleast a years worth. I don't think this log will be very bug as it is just config changes.

Thank you, Pat.

I think that maximum is 365 (exactly what you need) and it is related to database purging which can be set to maximum value of 12 months (Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup).

If you would like to keep from a longer period, you should consider logging to an external syslog.

Thanks,

Pawel

Pawel,

I can't find this?

(Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup).

Is there something before "Monitoring Configuration"?

Thank you.

Patrick,

just to be sure, we are talking about ACS 5.x?

If yes, you need to go to ACS View, and to go there you need to click on [Monitoring and Reports > Launch Monitoring & Report Viewer], after that you will be redirected to the ACS View (which is the same server or one from the distributed deployment). Next you should go to [Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup].

I hope that helps.

Thanks,

Pawel

Hi,

 

 I am also facing the same issue. below are the challenges,

 

 there are around 30 devices are added in tacacs but we are not getting any tacacs accounting and authorization logs in report categorize. but we are getting tacacs authentications logs their.

Kindly suggest how to resolve it.

 

ACS is running on 5.8.0.32 VM