[tac_plus] Re: accounting + syslog

Mark Ellzey Thomas mark.thomas at corp.aol.com
Tue Jun 24 14:19:43 UTC 2008 

On Mon, Jun 23, 2008 at 11:50:18PM -0700, john heasley wrote:
> Mon, Jun 23, 2008 at 06:52:50PM -0400, Mark Ellzey Thomas:
> > On Mon, Jun 23, 2008 at 03:26:50PM -0700, john heasley wrote:
> > > Tue, Jun 10, 2008 at 10:59:03AM -0400, Mark Ellzey Thomas:
> > > > Index: acct.c
> > > > ===================================================================
> > > > RCS file: /cvs/netsec-dev/tacacs/acct.c,v
> > > > retrieving revision 1.3
> > > > retrieving revision 1.4
> > > > diff -u -r1.3 -r1.4
> > > > --- acct.c	4 Jun 2008 14:49:54 -0000	1.3
> > > > +++ acct.c	9 Jun 2008 14:53:37 -0000	1.4
> > > > @@ -1,5 +1,5 @@
> > > >  /*
> > > > - * $Id: acct.c,v 1.3 2008/06/04 14:49:54 jathan Exp $
> > > > + * $Id: acct.c,v 1.4 2008/06/09 14:53:37 mthomas Exp $
> > > >   *
> > > >   * Copyright (c) 1995-1998 by Cisco systems, Inc.
> > > >   *
> > > > @@ -145,7 +145,11 @@
> > > >      if (wtmpfile) {
> > > >  	errors = do_wtmp(&rec);
> > > >      } else {
> > > > -	errors = do_acct(&rec);
> > > > +	if (session.acctfile != NULL)
> > > > +	    errors = do_acct(&rec);
> > > > +	if (session.acct_syslog)
> > > > +	    errors = do_syslog_acct(&rec);
> > > > +
> > > 
> > > Doesn't that change the accounting default?  While this would preserve it:
> > > 
> > 
> > The idea was to give the administrator the ability to log to both syslog
> > and a local file (or one or the other), if they wanted to. 
> 
> Why would I want two copies of the same data?  Syslog of accounting data
> is dubious, given that syslogds usually filter duplicates.

One of the main reasons I wanted to keep both options available was
to have a frequently rotated local log just in case something does go
wonky with the syslog daemon itself. Our configuration may be a little
different in that our syslog does not write local copies of the accounting 
data, it just sends remote.  

Though the decision is completely up to the maintainers. I did not know
if you would like to be in the business of having one configuration
option negate the other. 

Lastly, prior to this patch if no acct log file was specified it would use 
the default (TACPLUS_ACCTFILE). We could still maintain this functionality 
by doing something like:

if (!session.acct_syslog && !session.acctfile)
	session.acctfile = tac_strdup(TACPLUS_ACCTFILE);

More information about the tac_plus mailing list