[tac_plus] accounting to syslog. tac_plus F4.0.4.19

Antonio Ojea Garcia antonio.ojea.garcia at gmail.com
Thu Nov 1 09:49:31 UTC 2012 

I had this problem with accounting on tacacs using syslog.
I have solved it using logstash to read the file, modify the records and
send them to a central syslog.
However, I'm using splunk now, it's easy to search and report on events and
if you don't have so much data (500MB a day) it is free. I replaced
logstash with splunk light forwarder and it reads the logs and send them to
the central splunk server.


2012/11/1 Alan McKinnon <alan.mckinnon at gmail.com>

> On Wed, 31 Oct 2012 15:24:35 +0100
> "Gert Elnegaard" <geeln at tdc.dk> wrote:
>
> > Hi,
> >
> > tac_plus version F4.0.4.19
> > so sending accounting to syslog should be supported.
> >
> > running on FreeBSD 8.3-RELEASE-p4
> >
> > having following config:
> >
> > accounting syslog;
> > accounting file = /var/log/tac_plus.acct
> >
> > logging = local6
> >
> > and syslogd.conf
> >
> > local6.*                                        /var/log/tac_plus.log
> >
> >
> > accounting logs go OK to /var/log/tac_plus.acct. We have used that for
> > many years.
> >
> > and I see, for example, following types of messages in
> > /var/log/tac_plus.log:
> >
> > Oct 31 14:15:02 login20 tac_plus[23136]: connect from 62.135.173.4
> > [62.135.173.4]
> >
> > So basic syslog'ing from tac_plus to syslog local6 facility works ok.
> > but I do not get any accounting records in tac_plus.log
> > I would like to see command accounting logs in tac_plus.log, similar
> > to those we see in tac_plus.acct:
> >
> > Wed Oct 31 14:18:55 2012        213.236.195.47  nothowan        ttyp1
> > 195.249.15.10   stop    task_id=1       service=shell
> > elapsed_time=3606       process*mgd[27460]      cmd=logout
> >
> > Do you have any idea what the problem is?
>
> Yes, it essentially does not work.
>
> Tac_plus accounting logs are not really in a syslog format, all the
> syslog headers are not there. Remember that the device sends it's
> accounting logs to the server so to get them into syslog would require
> a lot of stripping out of timestamps and mangling of the log, and
> tac_plus does not know where the headrs end. This is against the spirit
> of logging.
>
> Apache has a similar problem - it's access and error logs don't go to
> syslog for a good reason - they do not fit into a syslog paradigm.
>
> A few versions ago there was a note in the ChangeLog about a config
> knob that could be tweaked to send accounting to syslog, but like you I
> never got it to work satisfactorily.
>
> What did work eventually was to configure my syslogger to read the
> acct files directly, apply the priority and facility I chose and send
> them on to the central syslogger. They are still mangled with two
> timestamps and two IP fields for each log but perl can be trained to
> deal with that when reporting. syslog-ng is the only syslogger I tested
> that lets you configure this in a sane rational way
>
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20121101/8908dfa3/attachment.html>

More information about the tac_plus mailing list