https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3414858#M547953 <P>Please, I need an urgent assistance.</P> <P>&nbsp;</P> <P>I am new to TACACS and I have this assignment to come up with a process to send TACACS+ logs from a client's TACACS+ server to a remote Syslog server where we can take the information into our&nbsp;SIEM for correlation and review.</P> <P>&nbsp;</P> <P><STRONG><U>A Brief Overview</U></STRONG></P> <P>The client has a couple of CISCO switches. The individual switches in the client's network infrastructure use a Solaris TACACS+ server as the source for authentication. When logging Privileged User activity, our SIEM does not collect logs from any individual switch but collects them from the central TACACS+ server. TACACS+ logs can be retrieved by the SIEM infrastructure based upon the TACAS+ server using the Syslog push file transfer protocol. This method sends log messages from the TACACS+ server to a remote syslog server from where the SIEM will ingest the logs.</P> <P>&nbsp;</P> <P><U><STRONG>Request</STRONG></U></P> <P>Please, I need to know the line to add to the Solaris <EM>etc/syslog.conf</EM> file on the TACACS+ server that will activate the TACACS+ log forwarding from Solaris TACACS+ server to the Syslog server.</P> <P>&nbsp;</P> <P>I will appreciate a quick solution.</P> Fri, 21 Feb 2020 19:00:51 GMT chimobinwoko@yahoo.com 2020-02-21T19:00:51Z https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3414858#M547953 <P>Please, I need an urgent assistance.</P> <P>&nbsp;</P> <P>I am new to TACACS and I have this assignment to come up with a process to send TACACS+ logs from a client's TACACS+ server to a remote Syslog server where we can take the information into our&nbsp;SIEM for correlation and review.</P> <P>&nbsp;</P> <P><STRONG><U>A Brief Overview</U></STRONG></P> <P>The client has a couple of CISCO switches. The individual switches in the client's network infrastructure use a Solaris TACACS+ server as the source for authentication. When logging Privileged User activity, our SIEM does not collect logs from any individual switch but collects them from the central TACACS+ server. TACACS+ logs can be retrieved by the SIEM infrastructure based upon the TACAS+ server using the Syslog push file transfer protocol. This method sends log messages from the TACACS+ server to a remote syslog server from where the SIEM will ingest the logs.</P> <P>&nbsp;</P> <P><U><STRONG>Request</STRONG></U></P> <P>Please, I need to know the line to add to the Solaris <EM>etc/syslog.conf</EM> file on the TACACS+ server that will activate the TACACS+ log forwarding from Solaris TACACS+ server to the Syslog server.</P> <P>&nbsp;</P> <P>I will appreciate a quick solution.</P> Fri, 21 Feb 2020 19:00:51 GMT https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3414858#M547953 chimobinwoko@yahoo.com 2020-02-21T19:00:51Z https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3415013#M547955 <P>Add this below line :</P> <P>&nbsp;</P> <P><SPAN>*.err;kern.debug&nbsp; &nbsp; &nbsp;@192.168.1.1&nbsp; (192.168.1.1 is the syslog server where you send the messages - eample sending err and kernel messages to syslog server)</SPAN></P> <P>&nbsp;</P> <P><SPAN>restart system-log</SPAN></P> <P>&nbsp;</P> <P><SPAN>and test it</SPAN></P> <P>&nbsp;</P> <P><SPAN>BB</SPAN></P> Thu, 12 Jul 2018 22:13:43 GMT https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3415013#M547955 balaji.bandi 2018-07-12T22:13:43Z https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3415020#M547957 Thank you very much <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286878">@balaji.bandi</a>. I am very grateful. You have given me a great solution.<BR /><BR />But if I want to send only AAA events from TACACS+, what syslog facilities do I reference? That is instead of sending kernel and err messages, I send only TACACS+ Authentication and Authorization logs.<BR /> Thu, 12 Jul 2018 23:04:41 GMT https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3415020#M547957 chimobinwoko@yahoo.com 2018-07-12T23:04:41Z https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3416004#M547958 <P><SPAN>logging level aaa 6&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>BB</SPAN></P> Sun, 15 Jul 2018 20:58:38 GMT https://community.cisco.com/t5/network-access-control/how-do-i-send-tacacs-logs-from-tacacs-server-to-a-remote-syslog/m-p/3416004#M547958 balaji.bandi 2018-07-15T20:58:38Z