I had this problem with accounting on tacacs using syslog. <div>I have solved it using logstash to read the file, modify the records and send them to a central syslog.</div><div>However, I'm using splunk now, it's easy to search and report on events and if you don't have so much data (500MB a day) it is free. I replaced logstash with splunk light forwarder and it reads the logs and send them to the central splunk server.</div>
<div><br></div><div><br><div class="gmail_quote">2012/11/1 Alan McKinnon <span dir="ltr"><<a href="mailto:alan.mckinnon@gmail.com" target="_blank">alan.mckinnon@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, 31 Oct 2012 15:24:35 +0100<br>
"Gert Elnegaard" <<a href="mailto:geeln@tdc.dk">geeln@tdc.dk</a>> wrote:<br>
<br>
> Hi,<br>
><br>
> tac_plus version F4.0.4.19<br>
> so sending accounting to syslog should be supported.<br>
><br>
> running on FreeBSD 8.3-RELEASE-p4<br>
><br>
> having following config:<br>
><br>
> accounting syslog;<br>
> accounting file = /var/log/tac_plus.acct<br>
><br>
> logging = local6<br>
><br>
> and syslogd.conf<br>
><br>
> local6.* /var/log/tac_plus.log<br>
><br>
><br>
> accounting logs go OK to /var/log/tac_plus.acct. We have used that for<br>
> many years.<br>
><br>
> and I see, for example, following types of messages in<br>
> /var/log/tac_plus.log:<br>
><br>
> Oct 31 14:15:02 login20 tac_plus[23136]: connect from 62.135.173.4<br>
> [62.135.173.4]<br>
><br>
> So basic syslog'ing from tac_plus to syslog local6 facility works ok.<br>
> but I do not get any accounting records in tac_plus.log<br>
> I would like to see command accounting logs in tac_plus.log, similar<br>
> to those we see in tac_plus.acct:<br>
><br>
> Wed Oct 31 14:18:55 2012 213.236.195.47 nothowan ttyp1<br>
> 195.249.15.10 stop task_id=1 service=shell<br>
> elapsed_time=3606 process*mgd[27460] cmd=logout<br>
><br>
> Do you have any idea what the problem is?<br>
<br>
Yes, it essentially does not work.<br>
<br>
Tac_plus accounting logs are not really in a syslog format, all the<br>
syslog headers are not there. Remember that the device sends it's<br>
accounting logs to the server so to get them into syslog would require<br>
a lot of stripping out of timestamps and mangling of the log, and<br>
tac_plus does not know where the headrs end. This is against the spirit<br>
of logging.<br>
<br>
Apache has a similar problem - it's access and error logs don't go to<br>
syslog for a good reason - they do not fit into a syslog paradigm.<br>
<br>
A few versions ago there was a note in the ChangeLog about a config<br>
knob that could be tweaked to send accounting to syslog, but like you I<br>
never got it to work satisfactorily.<br>
<br>
What did work eventually was to configure my syslogger to read the<br>
acct files directly, apply the priority and facility I chose and send<br>
them on to the central syslogger. They are still mangled with two<br>
timestamps and two IP fields for each log but perl can be trained to<br>
deal with that when reporting. syslog-ng is the only syslogger I tested<br>
that lets you configure this in a sane rational way<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Alan McKinnon<br>
<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</font></span></blockquote></div><br></div>