[tac_plus] Anyway to format the .acct file or have it log to syslog?
Matt Almgren
matta at surveymonkey.com
Wed Aug 22 01:13:03 UTC 2018
Actually after sending that last message and doing some more testing, I see the problem is with rsyslog. I tried to tcpdump on the SIEM server and it’s not seeing the .acct messages, only the normal tacacs log and syslog message entries.
Rsyslog is skipping over the tacacs.acct log entries. It is picking up all the other log entries, EXCEPT for the tac_plus.acct log messages. So now I need to either reformat them into a rsyslog format or find another way to log ship them to our SIEM server for processing.
-- Matt
From: Matt Almgren <matta at surveymonkey.com>
Date: Tuesday, August 21, 2018 at 5:03 PM
To: "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Subject: Anyway to format the .acct file or have it log to syslog?
We are trying to ship the tac_plus.acct log files into our SIEM, but it seems that it can’t handle the non-syslog format of the file. Is there anyway to get the .acct file to log into syslog? I have tried changing this var in the config file “accounting file = /var/log/tacacs/tac_plus.acct” to point to /var/log/syslog, but it still logs to the .acct file and seems to ignore that entry.
Or does anyone know of a script that will run in the background and covert the .acct file into a syslog format? That way our SIEM log importer will recognize it and hopefully pickup on it .
Thanks, Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180822/6b4193a8/attachment.html>
More information about the tac_plus
mailing list