[tac_plus] Full AAA logging / supported configuration

heasley heas at shrubbery.net
Mon Sep 12 19:42:59 UTC 2016


Mon, Sep 12, 2016 at 07:16:45AM -0700, Sean:
> I'd like to log authentication and authorization as well, if possible. I've come across reference to the following configuration:
> 
> accounting log = /var/log/tac_plus/accounting.log
> 
> authentication log = /var/log/tac_plus/authentication.log
> 
> authorization log = /var/log/tac_plus/authorization.log
> 
> This seems to be either a) outdated or b) poorly referenced as it doesn't work globally. A reference configuration I have from a version so old it's expressed in a date format (201211021744) places it within an "id" container.
> 
> 
> id = tac_plus {
> 
>  accounting log = /var/log/tac_plus/accounting.log
> 
>  authentication log = /var/log/tac_plus/authentication.log
> 
>  authorization log = /var/log/tac_plus/authorization.log
> 
> }

This must be another tacacs daemon.  This implementation has never had an
id clause that I am aware of.

> I haven't tried this in v4 yet since I can't find (presumably) current reference for it, but it’s working in the older version.
> 
> I've also found reference to setting the appropriate -d flags when running tac_plus and getting this information as more of a "happy accident" (their words) in that the debugged info will hit the syslog daemon and be shuffled to the appropriate log files vs. a means configured specifically in the tac_plus config file.
> 
> What’s the most appropriate / supported way to log this information, if any?

logging = syslog facility

there used to be a logfile option, but it degraded performance for multiple
daemons competing for one file.  so, it is syslog only now.  some syslog
daemons allow the matching of messages to determine the logging location (or
other actions).



More information about the tac_plus mailing list