Specifying TACACS+ Auditing and Accounting Events (SRC CLI)
You can specify the types of events you want to audit when using a TACACS+ accounting server.
To configure the types of events you want to audit:
- From configuration mode, access the configuration statement
used to specify TACACS+ events.[edit]user@host# edit system accounting events events
events is one or more of the following:
- login—Audit logins.
- change-log—Audit configuration changes (copy, delete, edit, exit, help, history, insert, load, quit, rename, rollback, run, save, set, show, top, up).
- interactive-commands—Audit interactive commands (any command-line input).
Events are published to the accounting server with the information described in Table 1.
Table 1: Information Published for Events
| Start Event | Stop Event | Update Event |
|---|---|---|
username (for instance: root) | username (for instance: root) | username (for instance: root) |
task_id: pid (for instance: 22956) | task_id: pid (for instance: 22956) | task_id: pid (for instance: 22956) |
startTime in seconds. The time the CLI session was created, measured in seconds, between the time it was created and midnight, January 1, 1970 UTC. | startTime in seconds. The time the CLI session was created, measured in seconds, between the time it was created and midnight, January 1, 1970 UTC. | executedTime in seconds. The time the CLI command was executed, measured in seconds, between the time it was executed and midnight, January 1, 1970 UTC. |
stopTime in seconds. The time the CLI session was destroyed, measured in seconds, between the time it was destroyed and midnight, January 1, 1970 UTC. | cmd (for instance: “show”) | |
cmd_arg (for instance: “sae subscribers brief”) |
