How-To Guides
...
Log Formats

TACACS Log

2 min

This section contains the Kron PAM TACACS Accounting logs. Commands executed in the session are stored in the database and sent to the Syslog server if they are defined. The packets are sent to the server in the following format:

userName

The username that executed the command

userId

Specific ID of the user in the PAM Database

nasIpAddress

The IP address of the target device

nasHostName

The IP hostname of the target device

tenantId

Tenant that the event was created

nasPortType

Port of the target device

callingStationId

Source IP of the device that executed the command

privelegeLevel

Allowed privileged level

command

What command was executed

allowed

If the executed command is allowed by the administrator or not

If allowed=true: authorized, the command can be executed

If allowed=false: unauthorized, the command can’t be executed

commandTime

Exact time the command was executed

instanceName

The instance to which the executed command is sent for accounting

deviceGroups

The Group name of the target device

Example:

The show clock command was executed on TACACS, and is configured as Black Key on Kron PAM:

{userName='tacacsuser', userId='b8bcf3e4-b4ba-456b-8dbe-c604f65cc6c8', nasIpAddress='10.10.10.10', nasHostName='10.10.10.10', tenantId='krontech', nasPortType='tty3', callingStationId='10.0.1.11', privilegeLevel='1', command='show clock', allowed=false, commandTime=2025-04-21 16:15:24.0, instanceName='localhost.localdomain', deviceGroups='Cisco Tacacs Device'}

The show running-config command was executed on TACACS, and is configured as Black Key on Kron PAM:

{userName='tacacsuser', userId='b8bcf3e4-b4ba-456b-8dbe-c604f65cc6c8', nasIpAddress='10.10.10.10', nasHostName='10.10.10.10', tenantId='krontech', nasPortType='tty3', callingStationId='10.0.1.11', privilegeLevel='15', command='show running-config <cr>', allowed=true, commandTime=2025-04-21 16:15:24.0, instanceName='localhost.localdomain', deviceGroups='Cisco Tacacs Device'}

ο»Ώ