Support TACACS+ accounting 7.0.2
Customers can send system log entries to external TACACS+ accounting servers. Up to three external TACACS+ servers can be configured with different filters for log events. These filters include TACACS+ accounting for login events, configuration change events, and CLI command audits.
In the following example, one remote TACACS+ accounting server is configured and administrators log in to the FortiGate with SSH and HTTPS sessions to modify existing configurations. All events are sent to the TACACS+ accounting server.
To configure remote TACACS+ accounting:
- Enable TACACS+ accounting and enter the server access information:
config log tacacs+accounting setting set status enable set server "10.1.100.34" set server-key ************ end
- Configure the log message filters:
config log tacacs+accounting filter set login-audit enable set config-change-audit enable set cli-cmd-audit enable end
- Log in to the FortiGate with SSH and HTTPS sessions, and rename a local user.
- Log off from the FortiGate and check the logs on the remote TACACS+ server:
System events logs for SSH administrator session:
<102> 2021-09-10 08:35:52 [10.1.100.9:20537] 09/10/2021 08:35:52 NAS_IP=10.1.100.9 Port=ssh rem_addr=172.16.200.254 User=test1 Flags=Start service=fortigate event=sys_acct start_time=1631288152644311549 reason="Administrator test1 logged in successfully from ssh(172.16.200.254)" task_id=1631288152 <102> 2021-09-10 08:36:27 [10.1.100.9:20573] 09/10/2021 08:36:27 NAS_IP=10.1.100.9 Port= User=test1 Flags=Stop service=fortigate event=sys_acct stop_time=1631288186895709341 reason="Rename user.local local-101 to local-102" <102> 2021-09-10 08:37:09 [10.1.100.9:20625] 09/10/2021 08:37:09 NAS_IP=10.1.100.9 Port=ssh rem_addr=172.16.200.254 User=test1 Flags=Stop service=fortigate event=sys_acct stop_time=1631288229650641602 reason="Administrator test1 logged out from ssh(172.16.200.254)" task_id=1631288152
System events logs for HTTPS administrator session:
<102> 2021-09-10 08:43:54 [10.1.100.9:20871] 09/10/2021 08:43:54 NAS_IP=10.1.100.9 Port=https rem_addr=172.16.200.254 User=admin Flags=Start service=fortigate event=sys_acct start_time=1631288634531042178 reason="Administrator admin logged in successfully from https(172.16.200.254)" task_id=1631288634 <102> 2021-09-10 08:44:21 [10.1.100.9:21020] 09/10/2021 08:44:21 NAS_IP=10.1.100.9 Port= User=admin Flags=Stop service=fortigate event=sys_acct stop_time=1631288661938560301 reason="Rename user.local local-new to local-new-1" <102> 2021-09-10 08:45:49 [10.1.100.9:21093] 09/10/2021 08:45:49 NAS_IP=10.1.100.9 Port=https rem_addr=172.16.200.254 User=admin Flags=Stop service=fortigate event=sys_acct stop_time=1631288749504281964 reason="Administrator admin logged out from https(172.16.200.254)" task_id=1631288634
By default, the system event logs sent to the TACACS+ server contain configuration modifications. To include execute
, show
, get
, and diagnose
commands in the system event logs, enable cli-audit-log
.
To enable the CLI audit log option:
config system global set cli-audit-log enable end
Sample TACACS+ server logs for diagnose and execute commands:
<102> 2021-09-27 14:19:11 [10.1.100.5:5568] 09/27/2021 14:19:11 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777550865151332 reason="dia sniffer packet any icmp" cmd=Diagnose <102> 2021-09-27 14:19:33 [10.1.100.5:5583] 09/27/2021 14:19:33 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777572609260119 reason="dia test authserver ldap FORTINET-FSSO test2 test2" cmd=Diagnose <102> 2021-09-27 14:19:38 [10.1.100.5:5587] 09/27/2021 14:19:38 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777577591769970 reason="exec log display" cmd=Execute <102> 2021-09-27 14:20:22 [10.1.100.5:5615] 09/27/2021 14:20:22 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777621524026363 reason="exec log delete-all" cmd=Execute <102> 2021-09-27 14:20:38 [10.1.100.5:5627] 09/27/2021 14:20:38 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777637777273617 reason="exec log filter category event" cmd=Execute <102> 2021-09-27 14:20:42 [10.1.100.5:5633] 09/27/2021 14:20:42 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777641616751047 reason="exec log display" cmd=Execute <102> 2021-09-27 14:20:53 [10.1.100.5:5639] 09/27/2021 14:20:53 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777652516689886 reason="dia test authserver ldap FORTINET-FSSO test2 test2" cmd=Diagnose <102> 2021-09-27 14:20:56 [10.1.100.5:5642] 09/27/2021 14:20:56 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777656330649349 reason="exec log display" cmd=Execute