[tac_plus] Full AAA logging / supported configuration
Sean
spedersen.lists at gmail.com
Mon Sep 12 20:09:57 UTC 2016
It’s tac_plus, it’s just ancient. I believe it had something to do with MAVIS as well.
The system(s) I’m running v4 on are using PAM instead of the MAVIS module.
So more or less just enable the right debug levels and route to syslog, expecting to find things in auth.log, etc.? With accounting being the exception. If so, I will look into getting rsyslogd to route the data correctly.
Thanks!
On 9/12/16, 12:42 PM, "heasley" <heas at shrubbery.net> wrote:
Mon, Sep 12, 2016 at 07:16:45AM -0700, Sean:
> I'd like to log authentication and authorization as well, if possible. I've come across reference to the following configuration:
>
> accounting log = /var/log/tac_plus/accounting.log
>
> authentication log = /var/log/tac_plus/authentication.log
>
> authorization log = /var/log/tac_plus/authorization.log
>
> This seems to be either a) outdated or b) poorly referenced as it doesn't work globally. A reference configuration I have from a version so old it's expressed in a date format (201211021744) places it within an "id" container.
>
>
> id = tac_plus {
>
> accounting log = /var/log/tac_plus/accounting.log
>
> authentication log = /var/log/tac_plus/authentication.log
>
> authorization log = /var/log/tac_plus/authorization.log
>
> }
This must be another tacacs daemon. This implementation has never had an
id clause that I am aware of.
> I haven't tried this in v4 yet since I can't find (presumably) current reference for it, but it’s working in the older version.
>
> I've also found reference to setting the appropriate -d flags when running tac_plus and getting this information as more of a "happy accident" (their words) in that the debugged info will hit the syslog daemon and be shuffled to the appropriate log files vs. a means configured specifically in the tac_plus config file.
>
> What’s the most appropriate / supported way to log this information, if any?
logging = syslog facility
there used to be a logfile option, but it degraded performance for multiple
daemons competing for one file. so, it is syslog only now. some syslog
daemons allow the matching of messages to determine the logging location (or
other actions).
More information about the tac_plus
mailing list