[tac_plus] accounting & syslog

Mon Feb 17 20:31:03 UTC 2014

On 17/02/2014 10:41, Josten, Michael wrote:
> Hello everyone,
> 
> i went through some posts I found in the mailing list and took a look at the tac_plus.conf manpage.
> Both accounting method and syslog facility are described so far, but what I miss or maybe just haven't found :
> How can I send notifications to a remote syslog-ng host ? My guess is, I have to install syslog-ng on both,
> my tacacs+ host & the syslog-ng / logstash stack host. This is not a big deal, I just want to keep my T+ machine
> as clean as possible.

How to configure syslog-ng to do this is a routine and standard action,
clearly answered in the syslog-ng docs available from balabit.com. In
summary, you send your logs to a local syslog-ng which forwards them to
a remote one, you do not configure tac_plus to send logs to a remote
host. All sysloggers do it this way.

Getting tacacs logs into syslog is easy, use the

"logging=<some valid facility>"

directive in tac_plus.conf and configure syslog-ng to deal with that
facility in the desired way.

Accounting logs are tricker. The CHANGES file indicates tac_plus
supports sending these logs direct to syslog, but I never got this to
work properly for me. Maybe I'm doing it wrong but I have to do it the
long way round:

1. accounting logs go to a disk file
2. syslog-ng reads that file, then treats the log like any other log it
receives:

In tac_plus.conf:

# Accounting File
accounting file = /var/log/tacacs/accounting_cisco

>From syslog-ng.conf:

# Tacacs accounting logs
# tac_plus accounting logs are read from disk and sent to remote
# syslogger. Sending accounting logs to syslog is somewhat supported
# but we have not tested it fully yet, so still do it the old way:
source s_tac_plus_acc {
    file("/var/log/tacacs/accounting",
         default-facility(local6),
         default-priority(info));
};

# Remote logging
destination remote-logger {
       tcp("xxx.xxx.xxx.xxx" port(514));
};

log { source(s_tac_plus_acc); destination(remote-logger); };

Ensure your logrotator correctly HUPs tac_plus when rotating logs,
otherwise your logging will mysteriously stop.

-- 
Alan McKinnon
alan.mckinnon at gmail.com