F5 LTM - How to enable TACACS+ Accounting

TACACS+ accounting was first supported within BIG-IP version 10.2.0.  Within this article we will show your the commands required to enable this feature.


First of all you will need to enable accounting within your authentication settings (this can be found within the GUI under 'System / Users / Authentication')

modify sys db config.auditing.forward.destination value
modify sys db config.auditing.forward.sharedsecret value abc123
modify sys db config.auditing.forward.type value tacacs+
modify sys db config.auditing value info  <-- logs cli changes
modify sys db log.mcpd.level value info   <-- logs gui changes
save /sys config


Below provides a sample of the accounting output (taken from the TACACS+ server).

root@ubuntu-13:~# tail -f /var/log/tac_plus.acct
Jul 26 15:47:01   user1   unknown unknown update  service=system  protocol=ip     task_id=41      start_time=1374853572   event=cmd_acct  rea 0 - obj_delete { monitor { monitor_name "MON-HTTP-SALT" monitor_owner 1 } } [Status=Command OK]


Below are the references used to build this the configuration within this article.

v.10 - Remote Authorization via TACACS+
Configuring remote RADIUS or TACACS+ accounting
Logging BIG-IP System Events



About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001