[tac_plus] accounting to syslog. tac_plus F4.0.4.19

Alan McKinnon alan.mckinnon at gmail.com
Thu Nov 1 00:19:20 UTC 2012 

On Wed, 31 Oct 2012 15:24:35 +0100
"Gert Elnegaard" <geeln at tdc.dk> wrote:

> Hi,
> 
> tac_plus version F4.0.4.19
> so sending accounting to syslog should be supported.
> 
> running on FreeBSD 8.3-RELEASE-p4
> 
> having following config:
> 
> accounting syslog;
> accounting file = /var/log/tac_plus.acct
> 
> logging = local6
> 
> and syslogd.conf
> 
> local6.*                                        /var/log/tac_plus.log
> 
> 
> accounting logs go OK to /var/log/tac_plus.acct. We have used that for
> many years.
> 
> and I see, for example, following types of messages in
> /var/log/tac_plus.log:
> 
> Oct 31 14:15:02 login20 tac_plus[23136]: connect from 62.135.173.4
> [62.135.173.4]
> 
> So basic syslog'ing from tac_plus to syslog local6 facility works ok.
> but I do not get any accounting records in tac_plus.log
> I would like to see command accounting logs in tac_plus.log, similar
> to those we see in tac_plus.acct:
> 
> Wed Oct 31 14:18:55 2012        213.236.195.47  nothowan        ttyp1
> 195.249.15.10   stop    task_id=1       service=shell
> elapsed_time=3606       process*mgd[27460]      cmd=logout
> 
> Do you have any idea what the problem is?

Yes, it essentially does not work.

Tac_plus accounting logs are not really in a syslog format, all the
syslog headers are not there. Remember that the device sends it's
accounting logs to the server so to get them into syslog would require
a lot of stripping out of timestamps and mangling of the log, and
tac_plus does not know where the headrs end. This is against the spirit
of logging.

Apache has a similar problem - it's access and error logs don't go to
syslog for a good reason - they do not fit into a syslog paradigm.

A few versions ago there was a note in the ChangeLog about a config
knob that could be tweaked to send accounting to syslog, but like you I
never got it to work satisfactorily.

What did work eventually was to configure my syslogger to read the
acct files directly, apply the priority and facility I chose and send
them on to the central syslogger. They are still mangled with two
timestamps and two IP fields for each log but perl can be trained to
deal with that when reporting. syslog-ng is the only syslogger I tested
that lets you configure this in a sane rational way



-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list