TACACS+ accounting overview

This accounting information is captured and made available for sending to remote accounting servers:

  • Exec Accounting: user login/logout events.

  • Command accounting: commands executed by users.

  • System accounting: remote accounting On/Off events.

  • CLI show commands.

  • Interactions on the non-CLI interfaces: REST and WebUI.

The following is not captured or made available as accounting information:

  • CLI commands that reboot the switch.

  • Interactions in the bash shell.

NOTE:

Local accounting (always enabled) must be functioning properly for remote Accounting to work.

NOTE:

The accounting information is sent to the first reachable remote TACACS+ AAA server (configured for remote accounting). If no remote TACACS+ server is reachable, local accounting remains available.

Sample accounting information on a TACACS+ server

我5月9日17:52:32 10.10.11.1未知tty 0.0.0.0start task_id=1525899775430 timezone=UTC start_time=1525913552.428 service=system event=sys_acct reason="System-accounting-ON" result=success Mon May 9 17:52:48 10.10.11.1 admin tty 192.168.1.20 start task_id=1525899775431 timezone=UTC start_time=1525913567.611 service=shell priv_lvl=15 result=success Mon May 9 17:52:48 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775432 timezone=UTC stop_time=1525913567.614 service=shell priv_lvl=15 cmd="enable" result=success Mon May 9 17:52:51 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775433 timezone=UTC stop_time=1525913570.851 service=shell priv_lvl=15 cmd="configure" result=success Mon May 9 17:52:53 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775434 timezone=UTC stop_time=1525913573.427 service=shell priv_lvl=15 cmd="interface 1/1/3" result=success Mon May 9 17:52:54 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775435 timezone=UTC stop_time=1525913574.447 service=shell priv_lvl=15 cmd="no shutdown" result=success Mon May 9 17:52:58 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775436 timezone=UTC stop_time=1525913578.131 service=shell priv_lvl=15 cmd="ip address 10.10.13.1/24" result=success Mon May 9 17:52:59 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775437 timezone=UTC stop_time=1525913579.468 service=shell priv_lvl=15 cmd="exit" result=success Mon May 9 17:53:10 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775442 timezone=UTC stop_time=1525913590.204 service=shell priv_lvl=15 cmd="exit" result=success Mon May 9 17:53:10 10.10.11.1 admin tty 192.168.1.20 stop task_id=1525899775431 timezone=UTC stop_time=1525913590.205 service=shell priv_lvl=15 result=success Mon May 9 17:53:44 10.10.11.1 UNKNOWN tty 0.0.0.0 stop task_id=1525899775430 timezone=UTC stop_time=1525913624.473 service=system event=sys_acct reason="System-accounting-OFF" result=success
NOTE:

This sample is representative and not from any particular TACACS+ server implementation.

Sample REST accounting information on a TACACS+ server

Oct 30 16:31:56 10.10.10.1 admin tty 127.0.0.1 start task_id=1540942055868 timezone=UTC start_time=1540942316.36 service=https-server priv_lvl=15 cmd="http-method=POST http-uri=/rest/v1/login" result=success
NOTE:

This sample is representative and not from any particular TACACS+ server implementation.