[tac_plus] Full AAA logging / supported configuration
Sean
spedersen.lists at gmail.com
Mon Sep 12 14:16:45 UTC 2016
I'm on F4.0.4.26.
I've seen a few examples of logging AAA with tac_plus. The most documented is the "accounting" option.
accounting syslog;
-or-
accountig file = /var/log/tac_plus.acct
This works fine. I have it set up, logging correctly, logrotate running, etc. It’s also documented just about everywhere I’ve seen, but seems like it’s the only official means to log something.
I'd like to log authentication and authorization as well, if possible. I've come across reference to the following configuration:
accounting log = /var/log/tac_plus/accounting.log
authentication log = /var/log/tac_plus/authentication.log
authorization log = /var/log/tac_plus/authorization.log
This seems to be either a) outdated or b) poorly referenced as it doesn't work globally. A reference configuration I have from a version so old it's expressed in a date format (201211021744) places it within an "id" container.
id = tac_plus {
accounting log = /var/log/tac_plus/accounting.log
authentication log = /var/log/tac_plus/authentication.log
authorization log = /var/log/tac_plus/authorization.log
}
I haven't tried this in v4 yet since I can't find (presumably) current reference for it, but it’s working in the older version.
I've also found reference to setting the appropriate -d flags when running tac_plus and getting this information as more of a "happy accident" (their words) in that the debugged info will hit the syslog daemon and be shuffled to the appropriate log files vs. a means configured specifically in the tac_plus config file.
What’s the most appropriate / supported way to log this information, if any?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160912/6aaffc5c/attachment.html>
More information about the tac_plus
mailing list