Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1672
Views
2
Helpful
1
Replies

TACACS log ID field mappings

Go to solution
yabbasi
Level 1
Level 1

‎02-03-2017 10:55 AM

Dearest ACS community

We are trying to understand the log file produced by ACS as we try to audit when/if/by whom certain changes were made to our environment.

Our log file (from a raw syslog server)  contains the following headers:

IDACS_TimestampACSView_TimestampACS_ServerMessage_CodeACS_Session_IDAccess_ServiceUser_NameAcct_Session_IdRemote_AddressAcct_Request_FlagsAuthen_MethodService_TypeServiceNetwork_Device_NamePortNetwork_Device_GroupsDevice_IP_AddressPrivilege_LevelCmd_SetServer_MsgService_ArgumentAV_PairExecution_StepsResponse_TimeResponseStartedStoppedDiagnostic_Report_LinkDetails_LinkMore DetailsSessionKeyTOTAL_COLUMN_0TOTAL_COLUMN_1

And we are trying to understand the field ID in the first column. Does that represent the SEQ number placed on the syslog message sent by the router when the command was entered or do it represent something else local to the server. Basically, we are trying to determine the order commands are being entered in a router from the perspective of ACS. The ID field looks like it’s stamped on the log message as it’s entered into the CLI locally on the router. Since syslog is UDP based if you go off when it was received by the server you could have delay and out of order packets misconvey the order the commands were actually entered into the router CLI.

I've added a 'redacted' form of this to protect confidentiality:

  

IDACS_TimestampACSView_TimestampACS_ServerMessage_CodeACS_Session_IDAccess_ServiceUser_NameAcct_Session_IdRemote_AddressAcct_Request_FlagsAuthen_MethodService_TypeServiceNetwork_Device_NamePortNetwork_Device_GroupsDevice_IP_AddressPrivilege_LevelCmd_SetServer_MsgService_ArgumentAV_PairExecution_StepsResponse_TimeResponseStartedStoppedDiagnostic_Report_LinkDetails_LinkMore DetailsSessionKeyTOTAL_COLUMN_0TOTAL_COLUMN_1
2,7901/27/2017 0:311/27/2017 0:313301//8241StartTacacsPlusAccountingLogintty388Device Type:All Device Types, Location:All Locations15shelltask_id=8241, timezone=PST, start_time=148549509613006
15008
15004
15012
22067
13035		0{Type=Accounting; AcctReply-Status=Success; }10TACACS DiagnosticsMore DetailsMore DetailsTRUEFALSE
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-07-2017 04:40 PM

Hi Yousef,

Here is the anwer from Engineering.

Sequential number is ACS generated  - it has nothing to do with device ( router/switch ) Syslog ID. And it is also true that Syslog messages based on UDP can arrive log collector not in original order. To make sure that order is preserved customer may want to employ Syslog over TCP. “

Thanks

Krishnan

View solution in original post

1 Reply 1

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-07-2017 04:40 PM

Hi Yousef,

Here is the anwer from Engineering.

Sequential number is ACS generated  - it has nothing to do with device ( router/switch ) Syslog ID. And it is also true that Syslog messages based on UDP can arrive log collector not in original order. To make sure that order is preserved customer may want to employ Syslog over TCP. “

Thanks

Krishnan

Customers Also Viewed These Support Documents