cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3204
Views
15
Helpful
6
Replies
Participant

TACACS accounting log

Hi,

           

I configured our switches and routers to send the accounting records to the ACS. We like this as you can see who made what changes to the device but, the ACS server is only keeping the records for one day. Where can I change the setting to increase this? I would like it to go back a year if possible.

Also, is the ACS server the right device to be holding this info?

Thank you.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

TACACS accounting log

Patrick,

just to be sure, we are talking about ACS 5.x?

If yes, you need to go to ACS View, and to go there you need to click on [Monitoring and Reports > Launch Monitoring & Report Viewer], after that you will be redirected to the ACS View (which is the same server or one from the distributed deployment). Next you should go to [Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup].

I hope that helps.

Thanks,

Pawel

View solution in original post

6 REPLIES 6
Cisco Employee

TACACS accounting log

Hi Patrick,

In the ACS View Reports (Monitoring & Reports >     Reports >     Catalog >     AAA Protocol) you can select the

radio button and by selecting 'Run' on the bottom run a specific query. Without that by default you will see only a report from one day.

For the 2nd question, yes the ACS View is designed to store that information, however if needed you can send the logs to an external syslog server or perfrom regular backups of the ACS View database.

Kind regards,

Pawel

Participant

TACACS accounting log

I did what you mentioned and changed the report to custom and put a year. It came back with a couple of days, that is when I configured accounting on the gear - so, that makes sense.

Is there a limit to how many records this will hold?

I would like to hold atleast a years worth. I don't think this log will be very bug as it is just config changes.

Thank you, Pat.

Highlighted
Cisco Employee

TACACS accounting log

I think that maximum is 365 (exactly what you need) and it is related to database purging which can be set to maximum value of 12 months (Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup).

If you would like to keep from a longer period, you should consider logging to an external syslog.

Thanks,

Pawel

Participant

TACACS accounting log

Pawel,

I can't find this?

(Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup).

Is there something before "Monitoring Configuration"?

Thank you.

Cisco Employee

TACACS accounting log

Patrick,

just to be sure, we are talking about ACS 5.x?

If yes, you need to go to ACS View, and to go there you need to click on [Monitoring and Reports > Launch Monitoring & Report Viewer], after that you will be redirected to the ACS View (which is the same server or one from the distributed deployment). Next you should go to [Monitoring Configuration >     System Operations >     Data Management >     Removal and Backup].

I hope that helps.

Thanks,

Pawel

View solution in original post

Re: TACACS accounting log

Hi,

 

 I am also facing the same issue. below are the challenges,

 

 there are around 30 devices are added in tacacs but we are not getting any tacacs accounting and authorization logs in report categorize. but we are getting tacacs authentications logs their.

Kindly suggest how to resolve it.

 

ACS is running on 5.8.0.32 VM