Description
This article explains that TACACS+ accounting is supported from version 7.0.2. System log entries for login events, configuration change events, and CLI command audits can be forwarded to the external TACACS+ server.
Scope
FortiGate.
Solution
Configuration:
config log tacacs+accounting setting
set status enable
set server <server IP>
set server-key ************
end
config log tacacs+accounting filter
set login-audit enable
set config-change-audit enable
set cli-cmd-audit enable
end
Refer to this link to view the sample server logs obtained:
Support TACACS+ accounting 7.0.2
Consider an example of the config change event received in the Aruba clearpass server.
System event logs:
Config Path firewall.policy
Config Object 3
Config Attributes status[enable->disable]
User Interface GUI(10.100.5.25)
Message Edit firewall.policy 3
Accounting messages received in Aruba clear pass the TACACS+ server.
event sys_acct
reason "Edit firewall.policy 3"
service fortigate
stop_time 1693551643920131101
Changes done on 'Config attribute status' can only be viewed in System event logs on FortiGate and is not received in the TACACS+ server.
In this example you will receive the reason 'Edit firewall.policy 3'.
Verify on taking a packet capture below:
diag sniffer packet any 'host x.x.x.x and port 49' 6 0 l <----- Here x would be server IP.
It requires a secret key to decode and view the accounting message sent from FortiGate.
