02-03-2017 10:55 AM
Dearest ACS community
We are trying to understand the log file produced by ACS as we try to audit when/if/by whom certain changes were made to our environment.
Our log file (from a raw syslog server) contains the following headers:
ID | ACS_Timestamp | ACSView_Timestamp | ACS_Server | Message_Code | ACS_Session_ID | Access_Service | User_Name | Acct_Session_Id | Remote_Address | Acct_Request_Flags | Authen_Method | Service_Type | Service | Network_Device_Name | Port | Network_Device_Groups | Device_IP_Address | Privilege_Level | Cmd_Set | Server_Msg | Service_Argument | AV_Pair | Execution_Steps | Response_Time | Response | Started | Stopped | Diagnostic_Report_Link | Details_Link | More Details | SessionKey | TOTAL_COLUMN_0 | TOTAL_COLUMN_1 |
And we are trying to understand the field ID in the first column. Does that represent the SEQ number placed on the syslog message sent by the router when the command was entered or do it represent something else local to the server. Basically, we are trying to determine the order commands are being entered in a router from the perspective of ACS. The ID field looks like it’s stamped on the log message as it’s entered into the CLI locally on the router. Since syslog is UDP based if you go off when it was received by the server you could have delay and out of order packets misconvey the order the commands were actually entered into the router CLI.
I've added a 'redacted' form of this to protect confidentiality:
ID | ACS_Timestamp | ACSView_Timestamp | ACS_Server | Message_Code | ACS_Session_ID | Access_Service | User_Name | Acct_Session_Id | Remote_Address | Acct_Request_Flags | Authen_Method | Service_Type | Service | Network_Device_Name | Port | Network_Device_Groups | Device_IP_Address | Privilege_Level | Cmd_Set | Server_Msg | Service_Argument | AV_Pair | Execution_Steps | Response_Time | Response | Started | Stopped | Diagnostic_Report_Link | Details_Link | More Details | SessionKey | TOTAL_COLUMN_0 | TOTAL_COLUMN_1 |
2,790 | 1/27/2017 0:31 | 1/27/2017 0:31 | 3301 | // | 8241 | Start | TacacsPlus | Accounting | Login | tty388 | Device Type:All Device Types, Location:All Locations | 15 | shell | task_id=8241, timezone=PST, start_time=1485495096 | 13006 15008 15004 15012 22067 13035 | 0 | {Type=Accounting; AcctReply-Status=Success; } | 1 | 0 | TACACS Diagnostics | More Details | More Details | TRUE | FALSE |
Solved! Go to Solution.
02-07-2017 04:40 PM
Hi Yousef,
Here is the anwer from Engineering.
“ Sequential number is ACS generated - it has nothing to do with device ( router/switch ) Syslog ID. And it is also true that Syslog messages based on UDP can arrive log collector not in original order. To make sure that order is preserved customer may want to employ Syslog over TCP. “
Thanks
Krishnan
02-07-2017 04:40 PM
Hi Yousef,
Here is the anwer from Engineering.
“ Sequential number is ACS generated - it has nothing to do with device ( router/switch ) Syslog ID. And it is also true that Syslog messages based on UDP can arrive log collector not in original order. To make sure that order is preserved customer may want to employ Syslog over TCP. “
Thanks
Krishnan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: