ClearPass – Sending TACACS+ Audit log to Syslog Server

ClearPass – TACACS+ Audit logs

So you’ve got ClearPass and have wisely decided to utilise it to secure and monitor your switching infrastructure. You’ve setup TACACS+ on the switches & configured a service on ClearPass (possibly following the awesome guide on the Aruba Solution Exchange). If you’re having problems setting it up head over to the Airheads community and you’ll get some great help over there.

Just a second, if you’re not aware of the Aruba Solution Exchange (ASE) you should really check it out. In fact go there now. Come back when you’ve had a good browse of what’s on offer. Ok, back now?

Right, back on track. TACACS authentication and accounting is now setup and working. You should see the authentication requests in the access tracker and when clicking on the Authorizations tab you’ll see the commands as in the image below:


Now, if you select the accounting record that associated with these requests and go to the Details tab you’ll see the commands again but with a few more details including the privilege level. See below:


If you have your own syslog server and you want (or need) to export these audit trail details you need to head down to the “Syslog Export Filters” under Administration / External Servers. You can manually setup some filters using the pre-defined options and dropdown lists or create custom SQL queries to decide what gets sent to your syslog server.

I couldn’t find exactly what I needed from the pre-defined options.

I wanted to export the following:

  • Device changes are being made on
  • User making the changes
  • Commands being run
  • Where the user logged in from
  • Timestamp

I could see the details I wanted to export but they were in a couple of different tables. Turns out it’s fairly trivial to generate a query which searches a couple of tables..

Here’s the resulting SQL query:

SELECT tips_tacacs_accounting_records.nas_ip,tips_tacacs_accounting_records.user_name,tips_tacacs_accounting_records.remote_address,tips_tacacs_accounting_details.attr_value,tips_tacacs_accounting_details.timestamp FROM tips_tacacs_accounting_details 
JOIN tips_tacacs_accounting_records on 
WHERE ((tips_tacacs_accounting_details.timestamp >= --START-TIME--) 
AND (tips_tacacs_accounting_details.timestamp <= --END-TIME--))
AND (tips_tacacs_accounting_details.attr_name = 'cmd');

You can download a copy of the ClearPass Export Filter from here. You could import it into your ClearPass server(s) and modify the syslog target if you wished. The SQL query is also available here.


I’m by no means a DBA and only provide the information in this blog as a reference. I accept no responsibility if you decide to copy anything off this blog an use it any way. Also I wouldn’t be surprised if there were a more elegant way to achieve this so please post in the comments if you know one.

Using RADIUS to secure your switches

Maybe you’re thinking of securing your switches with RADIUS? Whilst you can certainly authenticate admin users using RADIUS you cannot “log the commands used. It will only log the start, stop, and interim records of that session. This means that if there are two or more administrators logged at any one time, there is no way of telling which administrator entered which commands.”. Plus TACACS+ has been designed for this purpose, RADIUS however has not. More TACACS+ reading.


Aruba Airheads Community
Aruba Solution Exchange
ASE Splunk Syslog Export
ASE CPPM / Cisco TACACS+ Setup
The Advantages of TACACS+ for Administrator Authentication


4 thoughts on “ClearPass – Sending TACACS+ Audit log to Syslog Server

  1. “Maybe you’re thinking of securing your switches with RADIUS? Whilst you can certainly authenticate admin users using RADIUS you cannot log the commands used”

    This is not true – we’ve used Radius to log commands for years on our HP switches.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s