Tacacs+ Administration log Auditing

Similar Messages

• No TACACS+ Administration Logging on ACS

  I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
  aaa accounting command <server group> or <privilege>.
  How do I get this ASA and Windows ACS to collect TACACS+ administration?
  Note: My TACACS+ accounting does collect data on users ssh into the ASA.

  It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
  Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
  You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
  Here's an example of the commands:
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Hope it helps.

• ACS Tacacs administration report Log Analyzer

  The logs in ACS are in .csv format. My system is generation huge logs due to more than 1000 devices configured in ACS. Is there any tools available to analyze the Tacacs administration logs ?
  Regards
  Hitesh Vinzoda

  Hi Hitesh,
  The only option you have is to download the .CSV files and import it into spreadsheets by using most popular spreadsheet application software. You can also use a third-party reporting tool to manage report data. For example, aaa-reports! by Extraxi supports ACS.
  To download a CSV report:
  =========================
  # click Reports and Activity.
  # Click the CSV report filename that you want to download.
  # In the right pane of the browser, click Download.
  # You can easily analyse the logs in Microsoft excel
  How to filter and analyze logs ( with Regular Expression Syntax Definitions):
  ========================================
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp632961
  For downloading third party application
  http://www.extraxi.com/
  For more info, you can download the user guide:
  http://www.extraxi.com/PDFs/aaa-reports%20sales%20proposal%20-%20customer.pdf
  HTH
  Regards,
  JK

• Error during netlist generation and log audit trail error

  I am not able to run the simulation application on my Multisim 10.  The two following error were generated every time I try to run the simultion:
  Error: log /Audit Trail, C: \document~1\xxx: Permission denied
  Error during netlist generation, C:\document~1\xxx: Permision denied
  Can any body help me fix this problem that make it impossible for me to use the Multisim10 simualtion tool?

  There are two KBs I would like for you to see, since they might have the answer to the problem you are having:
  1. This KB is related to having access to the TEMP directories where Multisim stores temp files for simulation:
  http://digital.ni.com/public.nsf/allkb/15526EB2464F3EDD8625722C00696BB0
  2. This other KB deals with non-Administrator users of Windows, it talks about v9 but the idea is the same for v10, just look for the v10 installation paths:
  http://digital.ni.com/public.nsf/allkb/0DF597C217A235BE862571FB004F24BD
  Nestor
  National Instruments

• No TACACS+ Administration Reports after upgrade to ACS 4.1

  Hi,
  I was running ACS 4.0 demo version. Everything was running fine.
  After upgrading and keeping the old configuration, I can't see logs in the TACACS+ Administration Reports. I kept the configurations on the router and switch the same, so I believe that the problem resides in the ACS software.
  I tested some debug, and it seems that the router is sending the command that is being typed to ACS.
  Here is the config I?m using:
  aaa new-model
  tacacs-server host 192.168.X.X key XXXXXXXXXXX
  aaa authentication login telnet group tacacs+ enable
  aaa authentication login console enable
  aaa authentication enable default group tacacs+ enable
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection telnet start-stop group tacacs+
  line con 0
  authorization exec NO-AUTH
  login authentication console
  line vty 0 4
  authorization exec AUTH
  login authentication telnet
  aaa authorization exec AUTH group tacacs+ none
  aaa authorization config-commands
  aaa authorization exec NO-AUTH none
  aaa authorization commands 0 default group tacacs+ none
  aaa authorization commands 1 default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none

  Hi,
  This is a known issue, you need to apply patch ACS 4.1.1.23.5 to fix the issue.
  Patch for appliance is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  Patch name : ACS SE 4.1.1.23.5 accumulative patch
  Patch for acs windows is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
  Patch Name : ACS 4.1.1.23.5 accumulative patch
  That should fix the issue,
  Regards,
  Jagdeep
  Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

• Cisco ACS 4.2 TACACS+ Administration report - Help!

  we had some switches mysteriously reloaded.  Upon investigation, TACACS+ Administration report show no user login to the device, no command was issued, and the reason = reload.
  how could this happen?

  Guna,
  Tacacs+ Does not use VSAs.
  Radius uses VSAs.
  This is what I found online:
  http://198.152.212.23/css/P8/documents/100106731
  See if this helps.
  It has an example associated for server configuration.
  In ACS 4, you need to use the shell exec and priv-lvl=<value>.
  (Similar to Cisco IOS)
  Regards
  Ed

• Unable to view Administrator Logs

  Hello,
  I am trying to view the Netweaver Administrator Logs to Troubleshoot a Runtime Error on Production Portal. But when I goto http:<host>:<port>/nwa -> Monitoring -> Logs And Traces , then I select Default Trace Option or Last 24 Hours Option in the Dropdown, it displays the Message : ' No records to display '. The same when I do for QA Portal it displays the Logs fine. What is missing for Prod. Portal which is not allowing to view the Logs.?
  Any help would be highly Appreciated.
  Thanks.

  Pls check with your basis team whether the configuration to write the logs and traces were configured. It will be st by default but there might be a chance to set it to "OFF". In that case you will not get any traces or logs.
  Thanks,
  Mahe

• I forgot my administrator log in to my macbook air os 10.7.5

  I forgot my administrator log in to my macbook air os 10.7.5

  Boot to the Recovery HD:
  Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
  When the menubar appears select Terminal from the Utilities menu. Enter resetpassword at the prompt and press RETURN. Follow instructions in the dialog window that will appear.
  Or see Reset a Mac OS X 10.7 Lion Password and OS X Lion- Apple ID can be used to reset your user account password.

• Administrator Log no letters

  Hi everyone...
  i has been installing new software at my imac(2011), but, in my administrator log i cant see anything...
  What i can do?
  See: https://dl.dropbox.com/u/95497203/2013-02-05%2018.32.48.jpg
  Thx for any reply ^^

  Back up all data.
  Launch the Font Book application and validate all fonts. You must select the fonts in order to validate them. See the built-in help and the support article linked below for instructions. If Font Book finds any issues, resolve them, then boot in safe mode* (by holding down the shift key at the startup chime) to rebuild the font caches. Boot again as usual and test.
  Mac 101: Font Book
  *Note: If FileVault is enabled under OS X 10.7 or later, or if a firmware password is set, or if the boot volume is a software RAID, you can’t boot in safe mode. In that case only, after running Font Book, launch the Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Drag or copy — do not type — the following line into the Terminal window, then press return:
  sudo atsutil databases -remove
  You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. After running the command, reboot as usual.

• Data Access Service is unable to log audit events to the security event log

  Hi,
  Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
  Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
  The service account for "System Center Data Access Service" service is "Local System".
  The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
  The question is:
  how to resolve this alert? (Where look for to obtain more information to resolve this problem)
  Thanks in advance!

  Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
  LocalService Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
  LocalSystem Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
  Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
  is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
  For identified the SDK account
  1) open services.msc
  2) From the system Center Data Access Service, you can see the SDK logon on as account 
  Roger

• Portal Netweaver Administrator Logs

  Hello,
  I want to view the Administrator Logs on the Portal for which I am going to http://<host>:<port>/nwa, but then it says 'Select systems before proceeding' and no logs are displayed.
  Please help.

  Hello,
  Please check whether your sld is started or not, and technical system is created.
  to check sld go to http://host:port/sld, configure sld and create technical system.
  Thanks,
  Sagar Pande

• Tacacs+ accounting log question

  I have a tacacs server running for accounting purpose only (so I use local authentiation). So I can collect all accounting logs only.
  This is a snapshot for accounting part.
  Tacacs accounting logs
  <102> 2014-02-23 10:20:22 [10.254.1.2:22823] 02/23/2014 10:20:22 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.50.129 User= brian Flags=Stop task_id=57 cmd=perfmon interval 10 service=shell elapsed_time=0
  <102> 2014-02-23 10:23:51 [10.254.1.2:58167] 02/23/2014 10:23:51 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.50.129 User=brian Flags=Stop task_id=58 cmd=configure term service=shell elapsed_time=0
  <102> 2014-02-24 07:06:31 [10.254.1.2:19784] 02/24/2014 07:06:31 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=59 cmd=perfmon interval 10 service=shell elapsed_time=0
  <102> 2014-02-24 07:07:53 [10.254.1.2:19254] 02/24/2014 07:07:53 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=5a cmd=configure term service=shell elapsed_time=0
  As you can see, I can't see any command lines, such as show int ip b.   I can see all routers and switches logs, but ASA logs shows only like above. No mather what commands I used, it only shows above logs. Do i miss something? I like to capture all commands lines when users use ASDM because we use always ASDM.
  I used Free tacacs+ server, not ACS.
  Thanks for your time.

  Hi Patrick,
  In the ACS View Reports (Monitoring & Reports >     Reports >     Catalog >     AAA Protocol) you can select the
  radio button and by selecting 'Run' on the bottom run a specific query. Without that by default you will see only a report from one day.
  For the 2nd question, yes the ACS View is designed to store that information, however if needed you can send the logs to an external syslog server or perfrom regular backups of the ACS View database.
  Kind regards,
  Pawel

• TACACS Administration issue in Cisco ACS V4.1

  Hi,
  I am using Cisco Secure ACS V 4.1 for windows. When takingTACACS+  Administration report, report is not getting generated. I have come to know that this is a Bug in this version so as per the support forums they have suggested to update to ACS-4.1.1.23.Link which shows this is given below.
  https://supportforums.cisco.com/message/2015469;jsessionid=E5E34B6AE1216E24188E4712050285DC.node0
  For the same i have searched in cisco but this particular version is not present. enstead ACS 4.1.4.13 is present.
  Please let me know if i update ACS 4.1.4.13 will it resolve this TACACS+ administration report issue. else provide me the remedy to fix this issue.
  Thanks,
  Krishna.

  Krishna,
  That link does not have any full software listed, only patch are listed. This bug is fixed in ACS 4.1.1.23.5 accumulative patch which can be downloaded from that link.
  Incase you want to upgrade ACS, you need to open a TAC case to get the full software.
  Regards,
  ~JG
  Do rate helpful posts

• Aaa-reports! v2.1 supports TACACS+ Device Admin Audit Reporting

  extraxi is proud to announce a new release of aaa-reports! with support for TACACS+ Device Admin (TDA) reports for audit compliance.
  Previous versions had the ability to import the Cisco Secure ACS database dump file and generate reports for group summaries, inactive users, expired and disabled user accounts.
  But in v2.1 we've gone much deeper. In this release we provide new reports to more fully document your TACACS+ Device Administration (TDA) config:
  * Group level Network Access Restrictions (NARs)
  * Shared NARs
  * Group level service & protocol authorization
  * Group level enable authorization
  * Group level shell command authorization
  * Shared Device Command Sets (DCS) for shell & pixshell
  * Network Device Group (NDG) content
  With these additions you will at last be able to document your "policy intent" without having to either take screen dumps of the ACS Admin web pages, or write it down by hand!!
  And the reports don't stop at config documentation... they can also show you
  * Which groups/users have permit access to specific devices (or device group)
  * What commands a group/user is authorised to execute against a specific device (or device group)
  * What groups/users make reference to a given Shared Network Access Restriction (NAR) or Shared Device Command Set (DCS)
  * Which Shared NARs and DCSs are not referenced at all
  aaa-reports! v2.1 now supports several methods for importing the ACS Database:
  * acsdb.cab - via extraxi "getacsdb" utility for v3.x
  * package.cab - via 4.x cssupport/support admin page
  All in all, aaa-reports! v2.1 is what ACS users have been crying out for to make network security auditing less painful!
  Visit http://www.extraxi.com to download a working 60 day trial

  .

• Job log, audit log

  Hi.
  Are there any log files to delete manually periodic?
  I know the log files are deleted by standard delete job scheduled in Tr-cd SM36.
  How about the JOB log, and audit log?
  regards,

  Apart from SM36 standard logs,
  you might want to re-orgnaize log/trace files in various directories:
  /local/data/interface - generally the interface directory
  /usr/sap/<SID>/../work - Work process trace files etc.
  Regards,
  Siddhesh