TACACS-Scope
From ChekMate Security Group
Work In Progress - Not Completely Documented Yet.
The Cisco Secure Access server (TACACS) is used in many environments to provide AAA services for network devices.
One of the features lacking in the Cisco product is the ability to search or browse logfiles.
What we can do here, is create a batch job, on the TACACS server, which nightly copies the log from there to a unix server. On the unix server, the file is parsed and fed into a mysql database. You can browse and search the logs by priv level, fqdn, username, or a substring search of the commands.
Contents |
What is TACACScope?
Maintainer
License
Recent News
Download
Installation
Copy tacdump.bat to the application folder of CiscoSecure ACS.
this folder should also contain the sub directory .\Logs\TACACS+ Administration
here is the batch script you run under scheduled tasks (usually just after midnight when the logs roll over)
echo start d: cd "D:\CiscoSecure ACS v3.3\Logs\TACACS+ Administration" pscp [snip] "Tacacs+ Administration 2*.csv" [snip]:/u01/apps/tacimport move "Tacacs+ Administration 2*.csv" ..\tacacsadminbackup
what this does is scp the most recent 24 hour log to a linux server in the tacimport directory
then it moves the source log file on the TACACS server to an archive directory,
in this case named "tacacsadminbackup" but you can name it whatever you like.
once the file arrives on the linux server there is a cron which picks up the file, parses it and inserts it into a database.
here is the crontab entry:
15 0 * * * /u01/apps/tacimport/clean > /dev/null 2>&1
here is the clean script:
#!/bin/sh
cd /u01/apps/tacimport
rm -f dump.tmp
rm -f dump.raw
cat *.csv |grep -v 2003 |grep -v User-Name |grep -v cfgback |grep -v tripwirebot > dump.tmp
cat dump.tmp |sed 's/\^M//g' > dump.raw
cat dump.raw |awk -F "[/,]" '{print $3"/"$1"/"$2","$4","$5","$6","$7","$8","$9","$10","$11","$12","$13","$14}' > dump.csv
/usr/local/apache2/php/bin/php import
gzip *.csv
rm -f dump.csv.gz
this script takes the tacacs log file, filters out a few userid's i dont want flooding the database, and creates the dump.tmp file
the dump.tmp file is stripped of ^M and then reformatted into columns with awk, which results in a csv file.
i then use a php script called 'import' to insert the data into the mysql database.
<?
mysql_connect("localhost", "USER", "PASS");
mysql_select_db("tacacs");
$fcontents = file ('./dump.csv');
# expects the csv file to be in the same dir as this script
for($i=0; $i<sizeof($fcontents); $i++) {
$line = trim($fcontents[$i]);
$arr = explode(",", $line);
#if your data is comma separated
# instead of tab separated,
# change the '\t' above to ','
$sql = "insert into tacacs values ('".
implode("','", $arr) ."')";
mysql_query($sql);
echo $sql ."
\n";
if(mysql_error()) {
echo mysql_error() ."
\n";
}
}
?>
Here is the SQL script for the creation of the database
CREATE TABLE `tacacs` ( `date` varchar(12) default NULL, `time` time default NULL, `user` varchar(15) default NULL, `group` varchar(50) default NULL, `cmd` varchar(250) default NULL, `priv` int(2) default NULL, `service` varchar(10) default NULL, `port` varchar(15) default NULL, `task` int(8) default NULL, `ip` varchar(16) default NULL, `reason` varchar(50) default NULL, `fqdn` varchar(30) default NULL, KEY `date` (`date`,`time`,`user`,`group`,`cmd`,`priv`,`service`,`port`,`task`,`ip`,`reason`), KEY `fqdn` (`fqdn`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
