Showing results for 
Search instead for 
Did you mean: 

Cisco FTD - AAA (Accounting only) to extenral radius server


Recently, I am trying to migrate AAA accounting setting of cisco firewall from ASA to FTD. In old ASA, I have some commands like.

aaa accounting command PRIVILEGE 15 RADIUS

aaa accounting ssh console RADIUS

aaa accounting serial console RADIUS

aaa accounting enable console RADIUS

However it seems that the CLI is something different in FTD platform?


I also checked the managment access page to setup.



The radius server setting only allow authenication and authorization, but no accounting? I mean, if I login by cisco local account, how can I see login log from external server?

I see that the device login/logout log stored locally is what I needed, but there is no button to export it to external radius.


Or I should use syslog instead to radius accounting to monitor administrative action?



1 Reply 1

Cisco Employee
Cisco Employee

Streaming to Multiple Syslog Servers

You can stream audit log data to a maximum of five Syslog servers. However, if you have enabled TLS for secured audit log streaming, you can stream only to a single Syslog server.

Classic devices also maintain audit logs. To stream audit logs from Classic devices, see Stream Audit Logs from Classic Devices.

Step 1

Choose System > Configuration.

Step 2

Click Audit Log.

Step 3

Choose Enabled from the Send Audit Log to Syslog drop-down menu.

Step 4

The following fields are applicable only for audit logs sent to syslog:

Step 5

(Optional) To test whether the IP address of the syslog servers is valid, click Test Syslog Server.

The system sends the following packets to verify whether the Syslog server is reachable:

ICMP echo request

TCP SYN on 443 and 80 ports

ICMP time stamp query

TCP SYN on random ports


Step 6

Click Save.

Stream Audit Logs to an HTTP Server

When this feature is enabled, the appliance sends audit log records to an HTTP server in the following format:

Date Time Host [Tag] Sender: User_Name@User_IP, Subsystem, Action

Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending appliance or device name precedes the audit log message.

For example, if you specify a tag of FROMMC, a sample audit log message could appear as follows:

Mar 01 14:45:24 localhost [FROMMC] Dev-MC7000: admin@, Operations > Monitoring, Page View

To stream audit logs from Classic devices, use device platform settings: Stream Audit Logs from Classic Devices.

Before you begin

Make sure the device can communicate with the HTTP server. Optionally, secure the channel; see Audit Log Certificate.


Step 1

Choose System > Configuration.

Step 2

Click Audit Log.

Step 3

Optionally, in the Tag field, enter the tag name that you want to appear with the message. For example, if you want all audit log records to be preceded with FROMMC, enter FROMMC in the field.

Step 4

Choose Enabled from the Send Audit Log to HTTP Server drop-down list.

Step 5

In the URL to Post Audit field, designate the URL where you want to send the audit information. Enter a URL that corresponds to a Listener program that expects the HTTP POST variables as listed:









tag (if defined; see Step 3)


To allow encrypted posts, use an HTTPS URL. Sending audit information to an external URL may affect system performance.

Step 6

Click Save.


Please refer the below link for reference -


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers