From matta at surveymonkey.com Wed Aug 22 00:03:30 2018 From: matta at surveymonkey.com (Matt Almgren) Date: Wed, 22 Aug 2018 00:03:30 +0000 Subject: [tac_plus] Anyway to format the .acct file or have it log to syslog? Message-ID: <87D87139-D83B-473C-A898-B6857DEFA9DA@surveymonkey.com> We are trying to ship the tac_plus.acct log files into our SIEM, but it seems that it can?t handle the non-syslog format of the file. Is there anyway to get the .acct file to log into syslog? I have tried changing this var in the config file ?accounting file = /var/log/tacacs/tac_plus.acct? to point to /var/log/syslog, but it still logs to the .acct file and seems to ignore that entry. Or does anyone know of a script that will run in the background and covert the .acct file into a syslog format? That way our SIEM log importer will recognize it and hopefully pickup on it . Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From matta at surveymonkey.com Wed Aug 22 01:13:03 2018 From: matta at surveymonkey.com (Matt Almgren) Date: Wed, 22 Aug 2018 01:13:03 +0000 Subject: [tac_plus] Anyway to format the .acct file or have it log to syslog? In-Reply-To: <87D87139-D83B-473C-A898-B6857DEFA9DA@surveymonkey.com> References: <87D87139-D83B-473C-A898-B6857DEFA9DA@surveymonkey.com> Message-ID: <6113A4CB-0E28-4A6A-85C6-E9DAFEA73ACA@surveymonkey.com> Actually after sending that last message and doing some more testing, I see the problem is with rsyslog. I tried to tcpdump on the SIEM server and it?s not seeing the .acct messages, only the normal tacacs log and syslog message entries. Rsyslog is skipping over the tacacs.acct log entries. It is picking up all the other log entries, EXCEPT for the tac_plus.acct log messages. So now I need to either reformat them into a rsyslog format or find another way to log ship them to our SIEM server for processing. -- Matt From: Matt Almgren Date: Tuesday, August 21, 2018 at 5:03 PM To: "tac_plus at shrubbery.net" Subject: Anyway to format the .acct file or have it log to syslog? We are trying to ship the tac_plus.acct log files into our SIEM, but it seems that it can?t handle the non-syslog format of the file. Is there anyway to get the .acct file to log into syslog? I have tried changing this var in the config file ?accounting file = /var/log/tacacs/tac_plus.acct? to point to /var/log/syslog, but it still logs to the .acct file and seems to ignore that entry. Or does anyone know of a script that will run in the background and covert the .acct file into a syslog format? That way our SIEM log importer will recognize it and hopefully pickup on it . Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From listensammler at gmx.de Wed Aug 22 19:48:03 2018 From: listensammler at gmx.de (Alex D.) Date: Wed, 22 Aug 2018 21:48:03 +0200 Subject: [tac_plus] Anyway to format the .acct file or have it log to syslog? In-Reply-To: <6113A4CB-0E28-4A6A-85C6-E9DAFEA73ACA@surveymonkey.com> References: <87D87139-D83B-473C-A898-B6857DEFA9DA@surveymonkey.com> <6113A4CB-0E28-4A6A-85C6-E9DAFEA73ACA@surveymonkey.com> Message-ID: <5B7DBDF3.7050702@gmx.de> Hi Matt, a possible solution would be logstash (see https://www.elastic.co/guide/en/logstash/current/introduction.html). You could use "file" input plugin, if needed do some filtering, and afterward you send it to your SIEM with the "syslog" output plugin. Regards, Alex From heas at shrubbery.net Thu Aug 23 08:51:58 2018 From: heas at shrubbery.net (heasley) Date: Thu, 23 Aug 2018 08:51:58 +0000 Subject: [tac_plus] Anyway to format the .acct file or have it log to syslog? In-Reply-To: <6113A4CB-0E28-4A6A-85C6-E9DAFEA73ACA@surveymonkey.com> References: <87D87139-D83B-473C-A898-B6857DEFA9DA@surveymonkey.com> <6113A4CB-0E28-4A6A-85C6-E9DAFEA73ACA@surveymonkey.com> Message-ID: <20180823085157.GC96661@shrubbery.net> Wed, Aug 22, 2018 at 01:13:03AM +0000, Matt Almgren: > Actually after sending that last message and doing some more testing, I see the problem is with rsyslog. I tried to tcpdump on the SIEM server and it?s not seeing the .acct messages, only the normal tacacs log and syslog message entries. > > Rsyslog is skipping over the tacacs.acct log entries. It is picking up all the other log entries, EXCEPT for the tac_plus.acct log messages. So now I need to either reformat them into a rsyslog format or find another way to log ship them to our SIEM server for processing. > > -- Matt maybe filtering priority info? or try syslog-ng.