[rancid] Full AAA logging / supported configuration

Alan McKinnon alan.mckinnon at gmail.com
Sat Sep 10 06:35:22 UTC 2016 

On 09/09/2016 22:02, Sean wrote:
> I'm on F4.0.4.26.
> 
>  
> 
> I've seen a few examples of logging AAA with tac_plus. The most
> documented is the "accounting" option.
> 
>  
> 
> accounting syslog;
> 
> -or-
> 
> accountig file = /var/log/tac_plus.acct
> 
>  
> 
> This works fine. I have it set up, logging correctly, logrotate running,
> etc. It’s also documented just about everywhere I’ve seen, but seems
> like it’s the only official means to log something.
> 
>  
> 
> I'd like to log authentication and authorization as well, if possible.
> I've come across reference to the following configuration:
> 
>  
> 
> accounting log = /var/log/tac_plus/accounting.log
> 
> authentication log = /var/log/tac_plus/authentication.log
> 
> authorization log = /var/log/tac_plus/authorization.log
> 
>  
> 
> This seems to be either a) outdated or b) poorly referenced as it
> doesn't work globally. A reference configuration I have from a version
> so old it's expressed in a date format (201211021744) places it within
> an "id" container.
> 
>  
> 
> id = tac_plus {
> 
>  accounting log = /var/log/tac_plus/accounting.log
> 
>  authentication log = /var/log/tac_plus/authentication.log
> 
>  authorization log = /var/log/tac_plus/authorization.log
> 
> }
> 
>  
> 
> I haven't tried this in v4 yet since I can't find (presumably) current
> reference for it, but it’s working in the older version.
> 
>  
> 
> I've also found reference to setting the appropriate -d flags when
> running tac_plus and getting this information as more of a "happy
> accident" in whatever syslog files it ends up in vs. more programmatic
> means.
> 
>  
> 
> What’s the most appropriate / supported way to log this information, if any?


tac_plus logs can easily go to syslog as their as daemon logs - the
daemon itself generates them and they are much like logs from all pother
daemons, very suitable for sending to syslog.

Accounting is another matter altogether, those logs are not a good fit
for syslog and I never got them to work right. I always sent them to a
regular disk file. The file you choose is entirely up to you, there is
no standard and neither should there be. There is a default in the code
but there's no reason you have to use it.

The -d option is not happy accident. It's a bit-encoded field where you
tell tac_plus what type of entries to log.

Lastly, this thread belongs on the tac_plus list


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the Rancid-discuss mailing list