Hi,
My explanation wasn't clear, you're right.
This is what I mean:
I have an external syslog UDP server. I'm sending logs to it, but currently there's no hint to the syslog server to easily differentiate authentication vs accounting vs authorization logs.
Example of results (csv export) at the external syslog:
timestamp,"source","message"
2024-03-11T14:04:22.748Z,"10.1.2.19","<70>2024-03-11
10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|start||"
2024-03-11T14:04:31.264Z,"10.1.2.19","<70>2024-03-11
10:04:31 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|stop||CLI 'show
firmware' <cr>"
2024-03-11T14:04:31.286Z,"10.1.2.19","<70>2024-03-11
10:04:31 -0400 tpng
10.10.10.198|tomasi|mgmt|10.10.10.137|config|permit|shell|show firmware
<cr>"
2024-03-11T14:04:22.480Z,"10.1.2.19","<70>2024-03-11
10:04:22 -0400 tpng 10.10.10.198|tomasi|mgmt|0.0.0.0|pap login
succeeded"
2024-03-11T14:13:40.087Z,"10.1.2.19","<70>2024-03-11
10:13:40 -0400 tpng 10.10.10.198|tomasi|mgmt|10.10.10.137|stop||"
2024-03-11T14:04:22.501Z,"10.1.2.19","<70>2024-03-11
10:04:22 -0400 tpng
10.10.10.198|tomasi|mgmt|0.0.0.0|config|permit|shell|"
Is there a way to add a hint to each type of message?
#
I think you're already giving the solution here (but my knowledge is still limited):
" You can set the format inside the "log" definition, e.g.:
log mylog {
destination = /var/log/tac_plus/authz/%Y/%m/%d.log
authorization format = "%Y-%m-%d %H:%M:%S %z ..."
authentication format = ...
accounting format = ...
} "
Which variable could I use to differentiate the messages?
Best regards,
Paulo Roberto Tomasi