[rancid] Full AAA logging / supported configuration

Sean spedersen.lists at gmail.com
Mon Sep 12 14:13:46 UTC 2016


Oh my God, I didn’t realize what list I was posting to. I’m subbed to both but for some reason hit rancid and not tac_plus.

I’d blame it on Monday, but it was Friday.

Sorry!

On 9/9/16, 11:35 PM, "Rancid-discuss on behalf of Alan McKinnon" <rancid-discuss-bounces at shrubbery.net on behalf of alan.mckinnon at gmail.com> wrote:

    On 09/09/2016 22:02, Sean wrote:
    > I'm on F4.0.4.26.
    > 
    >  
    > 
    > I've seen a few examples of logging AAA with tac_plus. The most
    > documented is the "accounting" option.
    > 
    >  
    > 
    > accounting syslog;
    > 
    > -or-
    > 
    > accountig file = /var/log/tac_plus.acct
    > 
    >  
    > 
    > This works fine. I have it set up, logging correctly, logrotate running,
    > etc. It’s also documented just about everywhere I’ve seen, but seems
    > like it’s the only official means to log something.
    > 
    >  
    > 
    > I'd like to log authentication and authorization as well, if possible.
    > I've come across reference to the following configuration:
    > 
    >  
    > 
    > accounting log = /var/log/tac_plus/accounting.log
    > 
    > authentication log = /var/log/tac_plus/authentication.log
    > 
    > authorization log = /var/log/tac_plus/authorization.log
    > 
    >  
    > 
    > This seems to be either a) outdated or b) poorly referenced as it
    > doesn't work globally. A reference configuration I have from a version
    > so old it's expressed in a date format (201211021744) places it within
    > an "id" container.
    > 
    >  
    > 
    > id = tac_plus {
    > 
    >  accounting log = /var/log/tac_plus/accounting.log
    > 
    >  authentication log = /var/log/tac_plus/authentication.log
    > 
    >  authorization log = /var/log/tac_plus/authorization.log
    > 
    > }
    > 
    >  
    > 
    > I haven't tried this in v4 yet since I can't find (presumably) current
    > reference for it, but it’s working in the older version.
    > 
    >  
    > 
    > I've also found reference to setting the appropriate -d flags when
    > running tac_plus and getting this information as more of a "happy
    > accident" in whatever syslog files it ends up in vs. more programmatic
    > means.
    > 
    >  
    > 
    > What’s the most appropriate / supported way to log this information, if any?
    
    
    tac_plus logs can easily go to syslog as their as daemon logs - the
    daemon itself generates them and they are much like logs from all pother
    daemons, very suitable for sending to syslog.
    
    Accounting is another matter altogether, those logs are not a good fit
    for syslog and I never got them to work right. I always sent them to a
    regular disk file. The file you choose is entirely up to you, there is
    no standard and neither should there be. There is a default in the code
    but there's no reason you have to use it.
    
    The -d option is not happy accident. It's a bit-encoded field where you
    tell tac_plus what type of entries to log.
    
    Lastly, this thread belongs on the tac_plus list
    
    
    -- 
    Alan McKinnon
    alan.mckinnon at gmail.com
    
    _______________________________________________
    Rancid-discuss mailing list
    Rancid-discuss at shrubbery.net
    http://www.shrubbery.net/mailman/listinfo/rancid-discuss





More information about the Rancid-discuss mailing list