cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

949
Views
2
Helpful
1
Replies
Highlighted
Beginner

TACACS log ID field mappings

Dearest ACS community

We are trying to understand the log file produced by ACS as we try to audit when/if/by whom certain changes were made to our environment.

Our log file (from a raw syslog server)  contains the following headers:

IDACS_TimestampACSView_TimestampACS_ServerMessage_CodeACS_Session_IDAccess_ServiceUser_NameAcct_Session_IdRemote_AddressAcct_Request_FlagsAuthen_MethodService_TypeServiceNetwork_Device_NamePortNetwork_Device_GroupsDevice_IP_AddressPrivilege_LevelCmd_SetServer_MsgService_ArgumentAV_PairExecution_StepsResponse_TimeResponseStartedStoppedDiagnostic_Report_LinkDetails_LinkMore DetailsSessionKeyTOTAL_COLUMN_0TOTAL_COLUMN_1

And we are trying to understand the field ID in the first column. Does that represent the SEQ number placed on the syslog message sent by the router when the command was entered or do it represent something else local to the server. Basically, we are trying to determine the order commands are being entered in a router from the perspective of ACS. The ID field looks like it’s stamped on the log message as it’s entered into the CLI locally on the router. Since syslog is UDP based if you go off when it was received by the server you could have delay and out of order packets misconvey the order the commands were actually entered into the router CLI.

I've added a 'redacted' form of this to protect confidentiality:

  

IDACS_TimestampACSView_TimestampACS_ServerMessage_CodeACS_Session_IDAccess_ServiceUser_NameAcct_Session_IdRemote_AddressAcct_Request_FlagsAuthen_MethodService_TypeServiceNetwork_Device_NamePortNetwork_Device_GroupsDevice_IP_AddressPrivilege_LevelCmd_SetServer_MsgService_ArgumentAV_PairExecution_StepsResponse_TimeResponseStartedStoppedDiagnostic_Report_LinkDetails_LinkMore DetailsSessionKeyTOTAL_COLUMN_0TOTAL_COLUMN_1
2,7901/27/2017 0:311/27/2017 0:313301//8241StartTacacsPlusAccountingLogintty388Device Type:All Device Types, Location:All Locations15shelltask_id=8241, timezone=PST, start_time=148549509613006
15008
15004
15012
22067
13035
0{Type=Accounting; AcctReply-Status=Success; }10TACACS DiagnosticsMore DetailsMore DetailsTRUEFALSE
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Yousef,

Here is the anwer from Engineering.

Sequential number is ACS generated  - it has nothing to do with device ( router/switch ) Syslog ID. And it is also true that Syslog messages based on UDP can arrive log collector not in original order. To make sure that order is preserved customer may want to employ Syslog over TCP. “

Thanks

Krishnan

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Hi Yousef,

Here is the anwer from Engineering.

Sequential number is ACS generated  - it has nothing to do with device ( router/switch ) Syslog ID. And it is also true that Syslog messages based on UDP can arrive log collector not in original order. To make sure that order is preserved customer may want to employ Syslog over TCP. “

Thanks

Krishnan

View solution in original post