TACACS+ accounting overview

This accounting information is captured and made available for sending to remote accounting servers:

  • Exec Accounting: user login/logout events.

  • Command accounting: commands executed by users.

  • System accounting: remote accounting On/Off events.

  • CLI show commands.

  • Interactions on the non-CLI interfaces: REST and WebUI.

The following is not captured or made available as accounting information:

  • CLI commands that reboot the switch.

  • Interactions in the bash shell.

NOTE:

Local accounting (always enabled) must be functioning properly for remote Accounting to work.

NOTE:

The accounting information is sent to the first reachable remote TACACS+ AAA server (configured for remote accounting). If no remote TACACS+ server is reachable, local accounting remains available.

Sample accounting information on a TACACS+ server

Mon May 9 17:52:32 10.10.11.1 UNKNOWN tty 0.0.0.0 start task_id=1525899775430  timezone=UTC  start_time=1525913552.428  service=system  event=sys_acct  reason="System-accounting-ON"  result=success
Mon May 9 17:52:48 10.10.11.1 admin  tty 192.168.1.20  start task_id=1525899775431  timezone=UTC  start_time=1525913567.611 service=shell priv_lvl=15  result=success
Mon May 9 17:52:48 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775432  timezone=UTC  stop_time=1525913567.614  service=shell priv_lvl=15  cmd="enable"  result=success
Mon May 9 17:52:51 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775433  timezone=UTC  stop_time=1525913570.851  service=shell priv_lvl=15  cmd="configure"  result=success
Mon May 9 17:52:53 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775434  timezone=UTC  stop_time=1525913573.427  service=shell priv_lvl=15  cmd="interface 1/1/3"  result=success
Mon May 9 17:52:54 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775435  timezone=UTC  stop_time=1525913574.447  service=shell priv_lvl=15  cmd="no shutdown"  result=success
Mon May 9 17:52:58 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775436  timezone=UTC  stop_time=1525913578.131  service=shell priv_lvl=15  cmd="ip address 10.10.13.1/24"  result=success
Mon May 9 17:52:59 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775437  timezone=UTC  stop_time=1525913579.468  service=shell priv_lvl=15  cmd="exit"  result=success
Mon May 9 17:53:10 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775442  timezone=UTC  stop_time=1525913590.204  service=shell priv_lvl=15  cmd="exit"  result=success
Mon May 9 17:53:10 10.10.11.1 admin  tty 192.168.1.20  stop  task_id=1525899775431  timezone=UTC  stop_time=1525913590.205  service=shell priv_lvl=15  result=success
Mon May 9 17:53:44 10.10.11.1 UNKNOWN tty 0.0.0.0 stop  task_id=1525899775430  timezone=UTC  stop_time=1525913624.473  service=system  event=sys_acct  reason="System-accounting-OFF"  result=success
NOTE:

This sample is representative and not from any particular TACACS+ server implementation.

Sample REST accounting information on a TACACS+ server

Oct 30 16:31:56 10.10.10.1 admin  tty 127.0.0.1  start  task_id=1540942055868  timezone=UTC  start_time=1540942316.36  service=https-server  priv_lvl=15  cmd="http-method=POST http-uri=/rest/v1/login"  result=success
NOTE:

This sample is representative and not from any particular TACACS+ server implementation.