Tacacs+ Accounting record parser

I wrote a simple accounting record parser for the cisco freeware v2.1 server, and gave it a reasonable set of options. It can scan through logs in a directory for a particular time slice you're interested in. It can only search for a particular user, etc.

Usage:

Usage: accheck 
Options:
        -file   explicitly scan this file.
        -usage            prints this message
        -netid=    only print records for this netid
        -ip=      only prints when the user was assigned this
	    ip address
        -server=<server>  only print records on a particular term
	      server
        -tty=<tty>        only print records for a particular tty
                          (ignored unless server is set.)
        -printall         show values for records we don't handle yet
        -nowarn           silently ignore options we don't handle
        -start mm/dd/yy   start time/date
        -end   mm/dd/yy   end time/date

No options at all will just scan yesterday's info.

An example output from the progam:


Session 3
        Netid:           myuser
        Location:        server tty8
        Caller ID:       2175552985
        Session start:   Tue Sep 15 23:50:45 CDT 1998
        Session end:     Tue Sep 15 23:50:47 CDT 1998
        Session length:  2
        Service:         ppp
                IP Address:     130.126.25.172
                Bytes in:       281             Bytes out:      194
                Packets in:     7               Packets out:    7

Session 4
        Netid:           seconduser
        Location:        server tty8
        Caller ID:       2175553985
        Session start:   Tue Sep 15 23:50:47 CDT 1998
        Session end:     Tue Sep 15 23:52:44 CDT 1998
        Session length:  117
        Service:         ppp
                IP Address:     130.126.25.172
                Bytes in:       1770            Bytes out:      534
                Packets in:     37              Packets out:    24

So, how does this work?

First, you need to designate a directory where all the accounting records will live. We rotate the files nightly, gzip them, and call them ACCOUNTING.Mon.XX.gz. Mon is the standard unix three-letter abreviation for the month, and XX is the day of the month.
Configure buildindex to run each night to look at all the files in the directory, and keep a .index file up to date with the information needed for accheck to examine by time/date.
Edit both buildindex.pl and accheck to point to the correct directories.

The files you need are:

buildindex -- the nightly index maker
accheck -- the accounting file parser.

With luck, this should work for you as well as it works for us. Don't forget to change the stuff in both files, sandwiched in a "Site customization" banner.

Mark Notarus

Last modified: Thu Sep 17 11:47:22 CDT 1998