Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2905
Views
5
Helpful
6
Replies

trace the user's Activity's to a log file on Cisco ISE

Go to solution
Ibrahim Jamil
Level 6
Level 6

‎04-02-2020 05:35 AM

Hi Guys

 

Hope all safe

I just enabled Accounting on my Devices , Routers , Switches , Firewall , WLC , APs


how can i trace the user's Activity's to a log file on Cisco ISE

 

 

Thanks

Ibrahim

 

#stayhome,StayConnected,staysafe

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-02-2020 06:31 AM

You can take a peek at the Tacacs+ live logs under: Operations->Tacacs->Live Logs OR you can generate a report by going here: Operations->Reports->Device Administration->TACACS Accounting. IMO the report is really nice because you can export to csv and it will show you several items including user, host, command, timestamp, and many more. HTH!

View solution in original post

6 Replies 6

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-02-2020 06:31 AM

You can take a peek at the Tacacs+ live logs under: Operations->Tacacs->Live Logs OR you can generate a report by going here: Operations->Reports->Device Administration->TACACS Accounting. IMO the report is really nice because you can export to csv and it will show you several items including user, host, command, timestamp, and many more. HTH!

Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to Mike.Cifelli

‎04-02-2020 07:59 AM

thanks mike

0 Helpful

Go to solution
OaklandCounty_Mike
Level 1
Level 1
In response to Mike.Cifelli

‎10-26-2022 10:19 AM

Hey Mike,

Thanks for this response as well.  it got me to the location where i think this data is located, but i still have a question.

under TACACS Accounting, i can see login data, but i dont see a column for the actual commands used. Would that data be actually located under TACACS Command Accounting?  if so, i have 0 data there, would that also mean i dont have configuration in place to capture that data?

i am currenlty still using ISE 2.4 Patches: 2,6,11

Thanks in advance

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to OaklandCounty_Mike

‎10-26-2022 02:44 PM

There is no column in the TACACS Command Accounting report page because the commands will only be seen when you click on the Detail Report for the session. If you are not seeing sessions in that report, you likely do not have command accounting enabled on the network device for the relevant line and/or privilege level that is being assigned to the user session.

 

 

0 Helpful

Go to solution
OaklandCounty_Mike
Level 1
Level 1
In response to Greg Gibbs

‎10-27-2022 07:18 AM

Good morning Greg,

Thank you for your response.  where would i find the settings to enable/disable command accounting?

when i click on the detail reported of a given login session under TACACS Accounting, there are no details provided on what commands the user ran.  i assume as you mentioned, we dont have something enabled for this reporting feature.

Thank you,

Mike

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to OaklandCounty_Mike

‎10-27-2022 02:33 PM

That depends entirely on what type of device for which you're looking to turn on command accounting. There are some examples in the Cisco ISE Device Administration Prescriptive Deployment Guide. If the device is not covered there, you will need to look into the documentation for that device.

 

0 Helpful
Customers Also Viewed These Support Documents