[tac_plus] Mailing list and Syslog question

Root, Paul Paul.Root at qwest.com
Thu May 5 22:51:10 UTC 2011 


Paul Root
Lead Internet Systems Eng
CenturyLink


> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-
> bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Thursday, May 05, 2011 3:36 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Mailing list and Syslog question
>
> Apparently, though unproven, at 19:29 on Thursday 05 May 2011, Paul
> Root did
> opine thusly:
>
> > Is there a mailling list to join for this?

I was on the web site. I thought this was just a developer.



> Yes, it's the address you used. That I replied is proof it works ;-)
>
> > Also, we are trying to get accounting to go to syslog. But it
> persists in
> > sending to the file.
> >
> > How is syslog enabled for accounting?
>
> I also tried to get this to work, and failed. The CHANGES file contains
> this:
>
> F4.0.4.16
>         - Add 'accounting syslog;' configuration knob - mostly from
> Mark
>           Ellzey Thomas
>
> So there is some level of support. I could not find out how to set the
> facility and priority, so I just let tac_plus write to the file (I
> wanted a
> local copy anyway) and configured syslog-ng to read it and send the
> logs onto

I assumed the facility would be the same as the auth logging. The man page said what the priority was, don't remember it right now.

Glad to know that it's not just me.



> my syslogger:
>
> # Tacacs accounting logs
> source s_tac_plus_acc {
>     file("/var/log/tacacs/accounting",
>          default-facility(local6),
>          default-priority(info));
> };
> # Remote logging to syslogger
> destination syslogger {
>        tcp("xxx.xxx.xxx.xxx" port(514));
> };
> log { source(s_tac_plus_acc); destination(syslogger); };
>
> Not the most elegant solution, it does require you to keep your wits
> about you
> if you change log filenames, but it does work. It's for syslog-ng,
> AFAIR
> syslogd can be brutally assaulted into doing much the same,

I don't have -ng on this machine, I want to send it to a remote -ng machine for splunk to pick up.


>
> > Lastly, is there a way to disable an account after X number of failed
> > attempts?
>
> Not inside the conf file to the best of my knowledge. You'll have to
> write an
> external auth script that stores expiry and failed attempts info to do
> this.
> Check the section "USING PROGRAMS TO DO AUTHORIZATION" in the manual
> bundled
> with the sources.

My router person found the patch that gives it in the config file. I may try this way though too, if it gives us more flexibility.



> Daniel Schmidt posted links to this very topic just yesterday so I'll
> assume
> you've only just registered and missed it (unlucky you!). Here's the
> relevant
> text reposted:

Yep, just today.


> http://tacacs.org/
>
> and this:
> python do_auth.py | less
>
> or maybe this:
> http://www.shrubbery.net/pipermail/tac_plus/2011-March/000879.html
>
> or this:
> http://manpages.ubuntu.com/manpages/maverick/man8/do_auth.8.html
>
> --
> alan dot mckinnon at gmail dot com


Thanks,

Paul.


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the tac_plus mailing list