tac_plus-ng + customize messages sent to syslog udp server
39 views
Skip to first unread message
Paulo Roberto Tomasi
Mar 10, 2024, 7:33:03 PMMar 10
to Event-Driven Servers
Hello, everyone
log Syslog_UDP_Server-acct {
destination = 10.10.10.231:5555
parameter_to_define_chain = accounting
}
log Syslog_UDP_Server-authc {
destination = 10.10.10.231:5555
parameter_to_define_chain = authentication
}
log Syslog_UDP_Server-authz {
destination = 10.10.10.231:5555
parameter_to_define_chain = authorization
}
log acctlog { destination = /var/log/tac_plus/accounting/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authentication/%Y/%m/%d.log }
log authzlog { destination = /var/log/tac_plus/authorization/%Y/%m/%d.log }
accounting log = acctlog
accounting log = Syslog_UDP_Server-acct
authentication log = authclog
authentication log = Syslog_UDP_Server-authc
authorization log = authzlog
authorization log = Syslog_UDP_Server-authz
Also, is it possible to change the built-in defaults space delimiter? How to I insert the changes in the tac_plus-ng.cfg?
I would like to change the space delimiter from pipe "|" to space + pipe + space (" | ")
I was wondering if it's possible to create separated chains to differentiate accouting vs authentication vs authorization logs sent to a syslog UDP server.
This could help syslog UDP server to separate logs about accounting, authentication and authorization in different counters in its dashboard
It would be something like this:
log Syslog_UDP_Server-acct {
destination = 10.10.10.231:5555
parameter_to_define_chain = accounting
}
log Syslog_UDP_Server-authc {
destination = 10.10.10.231:5555
parameter_to_define_chain = authentication
}
log Syslog_UDP_Server-authz {
destination = 10.10.10.231:5555
parameter_to_define_chain = authorization
}
log acctlog { destination = /var/log/tac_plus/accounting/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authentication/%Y/%m/%d.log }
log authzlog { destination = /var/log/tac_plus/authorization/%Y/%m/%d.log }
accounting log = acctlog
accounting log = Syslog_UDP_Server-acct
authentication log = authclog
authentication log = Syslog_UDP_Server-authc
authorization log = authzlog
authorization log = Syslog_UDP_Server-authz
Also, is it possible to change the built-in defaults space delimiter? How to I insert the changes in the tac_plus-ng.cfg?
I would like to change the space delimiter from pipe "|" to space + pipe + space (" | ")
#
The documentation shows these as built-in defaults:
# Accounting to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${nas}|${user}|${port}|${nac}|${accttype}|${service}|${cmd}"
# Authorization to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${nas}|${user}|${port}|${nac}|${profile}|${result}|${service}|${cmd}"
# Authentication to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${nas}|${user}|${port}|${nac}|${action} ${hint}"
# Connections to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${accttype}|${nas}|${tls.conn.version}|${tls.peer.cert.issuer}|${tls.peer.cert.subject}"
The documentation shows these as built-in defaults:
# Accounting to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${nas}|${user}|${port}|${nac}|${accttype}|${service}|${cmd}"
# Authorization to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${nas}|${user}|${port}|${nac}|${profile}|${result}|${service}|${cmd}"
# Authentication to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${nas}|${user}|${port}|${nac}|${action} ${hint}"
# Connections to UDP syslog:
"<${priority}>%Y-%m-%d %H:%M:%S %z ${hostname} ${accttype}|${nas}|${tls.conn.version}|${tls.peer.cert.issuer}|${tls.peer.cert.subject}"
Thanks
Marc Huber
Mar 11, 2024, 11:19:26 AMMar 11
to event-driv...@googlegroups.com
Hi Paulo,
I'm not sure about your "chain" question. the (e.g.) "accounting log ="
statements refers to a log definition, so limiting the latter to
"accounting" seems redundant.
You can set the format inside the "log" definition, e.g.:
log mylog {
destination = /var/log/tac_plus/authz/%Y/%m/%d.log
authorization format = "%Y-%m-%d %H:%M:%S %z ..."
authentication format = ...
accounting format = ...
}
Cheers,
Marc
> --
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/c6822b85-5db1-4cdb-95ad-6e0afa23a77an%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/c6822b85-5db1-4cdb-95ad-6e0afa23a77an%40googlegroups.com?utm_medium=email&utm_source=footer>.
I'm not sure about your "chain" question. the (e.g.) "accounting log ="
statements refers to a log definition, so limiting the latter to
"accounting" seems redundant.
You can set the format inside the "log" definition, e.g.:
log mylog {
destination = /var/log/tac_plus/authz/%Y/%m/%d.log
authorization format = "%Y-%m-%d %H:%M:%S %z ..."
authentication format = ...
accounting format = ...
}
Cheers,
Marc
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/c6822b85-5db1-4cdb-95ad-6e0afa23a77an%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/c6822b85-5db1-4cdb-95ad-6e0afa23a77an%40googlegroups.com?utm_medium=email&utm_source=footer>.
Paulo Roberto Tomasi
Mar 11, 2024, 1:10:28 PMMar 11
to Event-Driven Servers
Hi,
log mylog {
destination = /var/log/tac_plus/authz/%Y/%m/%d.log
authorization format = "%Y-%m-%d %H:%M:%S %z ..."
authentication format = ...
accounting format = ...
} "
My explanation wasn't clear, you're right.
This is what I mean:
I have an external syslog UDP server. I'm sending logs to it, but currently there's no hint to the syslog server to easily differentiate authentication vs accounting vs authorization logs.
Example of results (csv export) at the external syslog:
timestamp,"source","message"
2024-03-11T14:04:22.748Z,"10.1.2.19","<70>2024-03-11 10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|start||"
2024-03-11T14:04:31.264Z,"10.1.2.19","<70>2024-03-11 10:04:31 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|stop||CLI 'show firmware' <cr>"
2024-03-11T14:04:31.286Z,"10.1.2.19","<70>2024-03-11 10:04:31 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|config|permit|shell|show firmware <cr>"
2024-03-11T14:04:22.480Z,"10.1.2.19","<70>2024-03-11 10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|0.0.0.0|pap login succeeded"
2024-03-11T14:13:40.087Z,"10.1.2.19","<70>2024-03-11 10:13:40 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|stop||"
2024-03-11T14:04:22.501Z,"10.1.2.19","<70>2024-03-11 10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|0.0.0.0|config|permit|shell|"
2024-03-11T14:04:22.748Z,"10.1.2.19","<70>2024-03-11 10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|start||"
2024-03-11T14:04:31.264Z,"10.1.2.19","<70>2024-03-11 10:04:31 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|stop||CLI 'show firmware' <cr>"
2024-03-11T14:04:31.286Z,"10.1.2.19","<70>2024-03-11 10:04:31 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|config|permit|shell|show firmware <cr>"
2024-03-11T14:04:22.480Z,"10.1.2.19","<70>2024-03-11 10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|0.0.0.0|pap login succeeded"
2024-03-11T14:13:40.087Z,"10.1.2.19","<70>2024-03-11 10:13:40 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|stop||"
2024-03-11T14:04:22.501Z,"10.1.2.19","<70>2024-03-11 10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|0.0.0.0|config|permit|shell|"
Is there a way to add a hint to each type of message?
#
I think you're already giving the solution here (but my knowledge is still limited):
" You can set the format inside the "log" definition, e.g.:
log mylog {
destination = /var/log/tac_plus/authz/%Y/%m/%d.log
authorization format = "%Y-%m-%d %H:%M:%S %z ..."
authentication format = ...
accounting format = ...
} "
Which variable could I use to differentiate the messages?
Best regards,
Paulo Roberto Tomasi
Marc Huber
Mar 11, 2024, 1:26:37 PMMar 11
to event-driv...@googlegroups.com
Hi Paulo,
${type} will resolve to authen/author/acct, but as you've already
implied it makes more sense to just add a suitable hard-coded prefix to
the log format manually.
That's actually an interesting issue, thanks for reporting! I typically
log to plain files, so it never occured to me that the syslog output
might be ambiguous.
Cheers,
Marc
${type} will resolve to authen/author/acct, but as you've already
implied it makes more sense to just add a suitable hard-coded prefix to
the log format manually.
That's actually an interesting issue, thanks for reporting! I typically
log to plain files, so it never occured to me that the syslog output
might be ambiguous.
Cheers,
Marc
Paulo Roberto Tomasi
Mar 11, 2024, 1:43:32 PMMar 11
to Event-Driven Servers
Thanks, Marc
}
log acctlog { destination = /var/log/tac_plus/accounting/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authentication/%Y/%m/%d.log }
log authzlog { destination = /var/log/tac_plus/authorization/%Y/%m/%d.log }
accounting log = acctlog
accounting log = Syslog_UDP_Server
It worked perfectly:
id = tac_plus-ng {
log Syslog_UDP_Server {
destination = 10.10.10.231:5555
# Customized accounting message:
accounting format = "<${priority}>%Y-%m-%d %H:%M:%S %z ${type} | ${hostname} | ${nas} | ${user} | ${port} | ${nac} | ${accttype} | ${service} | ${cmd}"
# Customized authorization message:
authorization format = "<${priority}>%Y-%m-%d %H:%M:%S %z ${type} | ${hostname} | ${nas} | ${user} | ${port} | ${nac} | ${profile} | ${result} | ${service} | ${cmd}"
# Customized authentication message:
authentication format = "<${priority}>%Y-%m-%d %H:%M:%S %z ${type} | ${hostname} | ${nas} | ${user} | ${port} | ${nac} | ${action} | ${hint}"
log Syslog_UDP_Server {
destination = 10.10.10.231:5555
# Customized accounting message:
accounting format = "<${priority}>%Y-%m-%d %H:%M:%S %z ${type} | ${hostname} | ${nas} | ${user} | ${port} | ${nac} | ${accttype} | ${service} | ${cmd}"
# Customized authorization message:
authorization format = "<${priority}>%Y-%m-%d %H:%M:%S %z ${type} | ${hostname} | ${nas} | ${user} | ${port} | ${nac} | ${profile} | ${result} | ${service} | ${cmd}"
# Customized authentication message:
authentication format = "<${priority}>%Y-%m-%d %H:%M:%S %z ${type} | ${hostname} | ${nas} | ${user} | ${port} | ${nac} | ${action} | ${hint}"
}
log acctlog { destination = /var/log/tac_plus/accounting/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authentication/%Y/%m/%d.log }
log authzlog { destination = /var/log/tac_plus/authorization/%Y/%m/%d.log }
accounting log = acctlog
accounting log = Syslog_UDP_Server
authentication log = authclog
authentication log = Syslog_UDP_Server
authentication log = Syslog_UDP_Server
authorization log = authzlog
authorization log = Syslog_UDP_Server
authorization log = Syslog_UDP_Server
* variable ${type} added
* space delimiter customized from 'pipe' to 'space + pipe + space"
Best regards,
Paulo Roberto Tomasi
Reply all
Reply to author
Forward
0 new messages