Getting TACACS+ To use syslog facility
1,791 views
Skip to first unread message
Brian Cutler
Mar 24, 2016, 1:57:01 PM3/24/16
to Event-Driven Servers
Hello Marc:
We are trying to have TACACS+ write log messages to /var/log/messages (which it does) and to /var/log/local6.log (which it does not).
here is our tacacs.conf file definition for logging:
#!/usr/local/sbin/tac_plus
##################################################
## Spawn needed instances
id = spawnd {
listen = { address = 0.0.0.0 port = 49}
listen = { address = 0.0.0.0 port = 4949 realm = tacacs_alt }
}
id = tac_plus {
# access log = syslog
accounting log = syslog
# authentication log = syslog
# https://groups.google.com/forum/#!searchin/event-driven-servers/syslog/event-driven-servers/9YUJqYgCHdA/-pbRflYxZ0IJ
syslog facility = local6
syslog level = debug
## Define attributes for all hosts
host = world {
## tacacs key
key = xxxxxxxxxxxxxxx
address = 0.0.0.0/0
}
...
Here is our /etc/rsyslog.conf file
# Save TACACS messages to their own file
local6.* /var/log/local6.log
All we ever see in the /var/log/local6.log file is lots of:
Mar 24 13:18:06 sandbox-bdcutler7-a02 tac_plus[13912]: epoll event notification mechanism is being used
Mar 24 13:18:06 sandbox-bdcutler7-a02 tac_plus[13911]: epoll event notification mechanism is being used
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14780]: epoll event notification mechanism is being used
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14779]: epoll event notification mechanism is being used
We do see the startup and authentication events (I am using the tactest.exe program to send in the login request):
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:49 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:49 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:4949 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:4949 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14780]: Version 201511101821 initialized
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14780]: Version 201511101821 initialized
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14779]: Version 201511101821 initialized
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14779]: Version 201511101821 initialized
Mar 24 13:47:33 sandbox-bdcutler7-a02 tac_plus[14779]: xxx.xxx.xxx.xxx: shell login for 'bdcutler' succeeded
Mar 24 13:47:33 sandbox-bdcutler7-a02 tac_plus[14779]: xxx.xxx.xxx.xxx: shell login for 'bdcutler' succeeded
(Note I commented out the ip addresses in the messages above).
This is running on a CentOS 7 (3.10.0-327.4.5.el7.x86_64) machine.
Any thoughts on what I am doing wrong?
Brian Cutler
We are trying to have TACACS+ write log messages to /var/log/messages (which it does) and to /var/log/local6.log (which it does not).
here is our tacacs.conf file definition for logging:
#!/usr/local/sbin/tac_plus
##################################################
## Spawn needed instances
id = spawnd {
listen = { address = 0.0.0.0 port = 49}
listen = { address = 0.0.0.0 port = 4949 realm = tacacs_alt }
}
id = tac_plus {
# access log = syslog
accounting log = syslog
# authentication log = syslog
# https://groups.google.com/forum/#!searchin/event-driven-servers/syslog/event-driven-servers/9YUJqYgCHdA/-pbRflYxZ0IJ
syslog facility = local6
syslog level = debug
## Define attributes for all hosts
host = world {
## tacacs key
key = xxxxxxxxxxxxxxx
address = 0.0.0.0/0
}
...
Here is our /etc/rsyslog.conf file
# Save TACACS messages to their own file
local6.* /var/log/local6.log
All we ever see in the /var/log/local6.log file is lots of:
Mar 24 13:18:06 sandbox-bdcutler7-a02 tac_plus[13912]: epoll event notification mechanism is being used
Mar 24 13:18:06 sandbox-bdcutler7-a02 tac_plus[13911]: epoll event notification mechanism is being used
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14780]: epoll event notification mechanism is being used
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14779]: epoll event notification mechanism is being used
We do see the startup and authentication events (I am using the tactest.exe program to send in the login request):
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:49 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:49 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:4949 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14777]: bind to [0.0.0.0]:4949 succeeded
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14780]: Version 201511101821 initialized
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14780]: Version 201511101821 initialized
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14779]: Version 201511101821 initialized
Mar 24 13:46:19 sandbox-bdcutler7-a02 tac_plus[14779]: Version 201511101821 initialized
Mar 24 13:47:33 sandbox-bdcutler7-a02 tac_plus[14779]: xxx.xxx.xxx.xxx: shell login for 'bdcutler' succeeded
Mar 24 13:47:33 sandbox-bdcutler7-a02 tac_plus[14779]: xxx.xxx.xxx.xxx: shell login for 'bdcutler' succeeded
(Note I commented out the ip addresses in the messages above).
This is running on a CentOS 7 (3.10.0-327.4.5.el7.x86_64) machine.
Any thoughts on what I am doing wrong?
Brian Cutler
Marc Huber
Mar 25, 2016, 2:32:44 AM3/25/16
to event-driv...@googlegroups.com
Hi Brian,
On 24.03.16 18:52, Brian Cutler wrote:
> We are trying to have TACACS+ write log messages to /var/log/messages
> (which it does) and to /var/log/local6.log (which it does not).
I think I've missed reopening the log after facility or level changes.
Could you please try again, with the diff below applied?
Cheers,
Marc
--- mavis/mavis_parse.c 2015/11/09 12:06:29 1.166
+++ mavis/mavis_parse.c 2016/03/25 06:23:38
@@ -145,6 +145,7 @@
common_data.regex_pcre_flags = PCRE_CASELESS;
#endif
common_data.regex_posix_flags = REG_ICASE;
+ logopen();
}
void parse_error(struct sym *sym, char *fmt, ...)
@@ -1512,6 +1513,7 @@
default:
parse_error_expect(sym, S_level, S_facility, S_ident, S_default,
S_unknown);
}
+ logopen();
}
On 24.03.16 18:52, Brian Cutler wrote:
> We are trying to have TACACS+ write log messages to /var/log/messages
> (which it does) and to /var/log/local6.log (which it does not).
Could you please try again, with the diff below applied?
Cheers,
Marc
--- mavis/mavis_parse.c 2015/11/09 12:06:29 1.166
+++ mavis/mavis_parse.c 2016/03/25 06:23:38
@@ -145,6 +145,7 @@
common_data.regex_pcre_flags = PCRE_CASELESS;
#endif
common_data.regex_posix_flags = REG_ICASE;
+ logopen();
}
void parse_error(struct sym *sym, char *fmt, ...)
@@ -1512,6 +1513,7 @@
default:
parse_error_expect(sym, S_level, S_facility, S_ident, S_default,
S_unknown);
}
+ logopen();
}
Brian Cutler
Mar 29, 2016, 8:42:04 AM3/29/16
to Event-Driven Servers
Hi Marc:
I applied your patch (my version of 1.166 is a bit different than yours .. I had to do the patch manually. I am attaching a copy of my mavis_parse.c with your patch applied).
The login lines now go to the local6.log file, but not the other log lines. When I was looking through your code, I did see possible places that the logopen() patch could go .. but you know your own code far better than I and wanted you to take a quick look at it.
Thank you very much for the code patch you sent and hopefully we can finish this up and get all the log lines addressed.
Brian Cutler
I applied your patch (my version of 1.166 is a bit different than yours .. I had to do the patch manually. I am attaching a copy of my mavis_parse.c with your patch applied).
The login lines now go to the local6.log file, but not the other log lines. When I was looking through your code, I did see possible places that the logopen() patch could go .. but you know your own code far better than I and wanted you to take a quick look at it.
Thank you very much for the code patch you sent and hopefully we can finish this up and get all the log lines addressed.
Brian Cutler
Brian Cutler
Apr 5, 2016, 8:42:51 AM4/5/16
to Event-Driven Servers
Hi Marc. I was wondering if you have had a chance to look at the logging again? We are not getting all of the log messages sent out to facility (in our case, local6).
Brian
Brian
On Thursday, March 24, 2016 at 1:57:01 PM UTC-4, Brian Cutler wrote:
Marc Huber
Apr 8, 2016, 1:30:07 PM4/8/16
to event-driv...@googlegroups.com
Hi Brian,
On 05.04.16 14:42, Brian Cutler wrote:
> Hi Marc. I was wondering if you have had a chance to look at the
> logging again? We are not getting all of the log messages sent out to
> facility (in our case, local6).
yes, I did some testing (reconfigured my local syslog daemon to remote
logging, captured udp/514 with tcpdump). All packets had the expected
facility and level, I didn't see any issues at all.
Cheers,
Marc
On 05.04.16 14:42, Brian Cutler wrote:
> Hi Marc. I was wondering if you have had a chance to look at the
> logging again? We are not getting all of the log messages sent out to
> facility (in our case, local6).
logging, captured udp/514 with tcpdump). All packets had the expected
facility and level, I didn't see any issues at all.
Cheers,
Marc
Brian Cutler
Apr 11, 2016, 9:30:53 AM4/11/16
to Event-Driven Servers
Marc:
What are the settings you have in your TACACS file? I have:
id = tac_plus {
What are the settings you have in your TACACS file? I have:
id = tac_plus {
access log = syslog
accounting log = syslog
authentication log = syslog
# https://groups.google.com/forum/#!searchin/event-driven-servers/syslog/event-driven-servers/9YUJqYgCHdA/-pbRflYxZ0IJ
syslog facility = local6
syslog level = debug
# https://groups.google.com/forum/#!searchin/event-driven-servers/syslog/event-driven-servers/9YUJqYgCHdA/-pbRflYxZ0IJ
syslog facility = local6
syslog level = debug
....
What are the settings you have in your /etc/rsyslog.conf? I have:
What are the settings you have in your /etc/rsyslog.conf? I have:
# Save TACACS messages to their own file
local6.* /var/log/local6.log
On Thursday, March 24, 2016 at 1:57:01 PM UTC-4, Brian Cutler wrote:
Marc Huber
Apr 12, 2016, 12:31:05 PM4/12/16
to event-driv...@googlegroups.com
Hi Brian,
On 11.04.16 15:30, Brian Cutler wrote:
> What are the settings you have in your TACACS file? I have:
> id = tac_plus {
> access log = syslog
> accounting log = syslog
> authentication log = syslog
> #
> https://groups.google.com/forum/#!searchin/event-driven-servers/syslog/event-driven-servers/9YUJqYgCHdA/-pbRflYxZ0IJ
> syslog facility = local6
> syslog level = debug
I typically define facility and level first. "a... log = syslog" will
use the log level currently set, and (what's worse, but broken for
historic reasons) openlog(3) and syslog(3) will only handle one facility
at a time.
My best advice would be to either
- log to logger(1), or to
- log to tacspooflog.pl
Both allow to set log level and facility in a more reliable way.
Cheers,
Marc
On 11.04.16 15:30, Brian Cutler wrote:
> What are the settings you have in your TACACS file? I have:
> id = tac_plus {
> access log = syslog
> accounting log = syslog
> authentication log = syslog
> #
> https://groups.google.com/forum/#!searchin/event-driven-servers/syslog/event-driven-servers/9YUJqYgCHdA/-pbRflYxZ0IJ
> syslog facility = local6
> syslog level = debug
use the log level currently set, and (what's worse, but broken for
historic reasons) openlog(3) and syslog(3) will only handle one facility
at a time.
My best advice would be to either
- log to logger(1), or to
- log to tacspooflog.pl
Both allow to set log level and facility in a more reliable way.
Cheers,
Marc
victor ostorga
Aug 7, 2023, 6:45:19 PM8/7/23
to Event-Driven Servers
I have it working like follows for a while:
log = authentication {
destination = a.b.c.d
syslog facility = local6
syslog level = DEBUG
syslog ident = Authentication
log separator = "|"
}
log = authorization {
destination = a.b.c.d
syslog facility = local6
syslog level = DEBUG
syslog ident = Authorization
log separator = "/"
}
log = accounting {
destination = a.b.c.d
syslog facility = local6
syslog level = DEBUG
syslog ident = Accounting
log separator = "|"
}
destination = a.b.c.d
syslog facility = local6
syslog level = DEBUG
syslog ident = Authentication
log separator = "|"
}
log = authorization {
destination = a.b.c.d
syslog facility = local6
syslog level = DEBUG
syslog ident = Authorization
log separator = "/"
}
log = accounting {
destination = a.b.c.d
syslog facility = local6
syslog level = DEBUG
syslog ident = Accounting
log separator = "|"
}
Reply all
Reply to author
Forward
0 new messages