Re: How do I send TACACS+ logs from TACACS+ Server to a remote Syslog server?

chimobinwoko@yahoo.com · ‎07-12-2018

Please, I need an urgent assistance.

I am new to TACACS and I have this assignment to come up with a process to send TACACS+ logs from a client's TACACS+ server to a remote Syslog server where we can take the information into our SIEM for correlation and review.

A Brief Overview

The client has a couple of CISCO switches. The individual switches in the client's network infrastructure use a Solaris TACACS+ server as the source for authentication. When logging Privileged User activity, our SIEM does not collect logs from any individual switch but collects them from the central TACACS+ server. TACACS+ logs can be retrieved by the SIEM infrastructure based upon the TACAS+ server using the Syslog push file transfer protocol. This method sends log messages from the TACACS+ server to a remote syslog server from where the SIEM will ingest the logs.

Request

Please, I need to know the line to add to the Solaris etc/syslog.conf file on the TACACS+ server that will activate the TACACS+ log forwarding from Solaris TACACS+ server to the Syslog server.

I will appreciate a quick solution.

balaji.bandi · ‎07-12-2018

Add this below line :

*.err;kern.debug @192.168.1.1 (192.168.1.1 is the syslog server where you send the messages - eample sending err and kernel messages to syslog server)

restart system-log

and test it

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

chimobinwoko@yahoo.com · ‎07-12-2018

Thank you very much @balaji.bandi. I am very grateful. You have given me a great solution.

But if I want to send only AAA events from TACACS+, what syslog facilities do I reference? That is instead of sending kernel and err messages, I send only TACACS+ Authentication and Authorization logs.

balaji.bandi · ‎07-15-2018

logging level aaa 6

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help