How to exclude specific users from AAA logging in tac_plus-ng

32 views
Skip to first unread message

Thanh Pham

unread,
Mar 17, 2026, 4:04:20 AMMar 17
to Event-Driven Servers

Hi,

I am currently using an NMS platform that is spaming AAA log during login and command execution. Is there a way to configure tac_plus-ng to ignore specific users/NAC/NAS to keep the logs clean? Could you show me a configuration example for this?

Best regards,

Marc Huber

unread,
Mar 17, 2026, 11:45:36 AMMar 17
to event-driv...@googlegroups.com

Hi,

I've added log filtering in 8f5db93bc65ef036fcbab0cd4e6f1d7cf99b296e a couple of minutes ago. Please git pull and rebuild.

    log ... {
      destination = ...
      # filter = logfilter # pre-existing script/acl
      filter { if (user =~ /^demo/) deny } # inline script
      ...
    }

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/9ff5d12b-0e1f-4885-bb97-2517f9bbd377n%40googlegroups.com.

Thanh Pham

unread,
Mar 19, 2026, 2:55:21 AMMar 19
to event-driv...@googlegroups.com
Hi Marc,

I did a rebuild and it's looking good now. No issues so far.

Cheers,
Thanh

Vào Thứ 3, 17 thg 3, 2026 vào lúc 22:45 Marc Huber <marc.j...@gmail.com> đã viết:
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/c832c67c-bf3a-4ae9-8b4c-d9d4a23d7385%40googlemail.com.

Thanh Pham

unread,
May 4, 2026, 12:51:09 AMMay 4
to Event-Driven Servers
Hi Marc,
I have a question that if I want to filter NAS/NAC that defined in device config like this:

...
    script log-filter {
        if (client.name == "SP-NETWORK") deny
        if (device.name == "SP-NETWORK") deny
    }

    log aaalog {
...
        filter = log-filter
        ...
    }
    device SP-NETWORK {
        address = 192.168.0.0/16
        key = sercret123
    }
...

What's attribute that I can use for this case? it seems the keywords 'client.name' or 'device.name' are not working as expected.

Cheer,
Thanh
Vào lúc 13:55:21 UTC+7 ngày Thứ Năm, 19 tháng 3, 2026, Thanh Pham đã viết:

Marc Huber

unread,
May 4, 2026, 11:48:13 AMMay 4
to event-driv...@googlegroups.com

Hi Thanh,

referencing unknown objects from a script won't work.

For matching the device name you can use

    device.name =~ /^SP-NETWORK$/

Alternatively, you can put your "device SP-NETWORK" definition above the log-filter script.

client.name REGEX matching isn't supported, but putting the client net definition above the log-filter script should work, too.

Cheers,

Marc

Thanh Pham

unread,
May 13, 2026, 12:01:30 AM (7 days ago) May 13
to event-driv...@googlegroups.com

Hi Marc,

Thanks for your help!

Moving the device block definition to the top works for me. However, I haven't been able to fully test all the related cases yet. I'll let you know if anything comes up.

Cheers,


Vào Thứ 2, 4 thg 5, 2026 vào lúc 22:48 Marc Huber <marc.j...@gmail.com> đã viết:
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/308d01d3-60a0-46c0-947b-de74c84ffdad%40googlemail.com.
Reply all
Reply to author
Forward
0 new messages