Are netconf or ssh subsystem accounting event types needed?

[haussli]

Should there be netconf_acct or ssh_subsystem_acct accounting "event" types? or ssh subsystem name with "_acct" postfix?

[haussli]

The current text in S8.3 of 8907 is:

event (String)

Used only when "service=system". Current values are "net_acct", "cmd_acct", "conn_acct", "shell_acct", "sys_acct", and "clock_change". These indicate system-level changes. The flags field SHOULD indicate whether the service started or stopped.

and 8.2:

service (String)

The primary service. Specifying a service argument indicates that this is a request for authorization or accounting of that service. For example: "shell", "tty-server", "connection", "system" and "firewall"; others may be chosen for the required application. This argument MUST always be included.

---

What does "system" mean, Douglas?

I think these things are poorly defined. For example; isn't service=system, event=cmd_acct equivalent to service=shell?

[dcmgashcisco]

Pretty much the only type of authorization and accounting we use these days is service=shell with empty cmd= for the session, and cmd= for command.

[haussli]

We should add a way to communicate the ssh subsystem to accounting.