cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1220
Views
5
Helpful
3
Replies
Highlighted

How do I send TACACS+ logs from TACACS+ Server to a remote Syslog server?

Please, I need an urgent assistance.

 

I am new to TACACS and I have this assignment to come up with a process to send TACACS+ logs from a client's TACACS+ server to a remote Syslog server where we can take the information into our SIEM for correlation and review.

 

A Brief Overview

The client has a couple of CISCO switches. The individual switches in the client's network infrastructure use a Solaris TACACS+ server as the source for authentication. When logging Privileged User activity, our SIEM does not collect logs from any individual switch but collects them from the central TACACS+ server. TACACS+ logs can be retrieved by the SIEM infrastructure based upon the TACAS+ server using the Syslog push file transfer protocol. This method sends log messages from the TACACS+ server to a remote syslog server from where the SIEM will ingest the logs.

 

Request

Please, I need to know the line to add to the Solaris etc/syslog.conf file on the TACACS+ server that will activate the TACACS+ log forwarding from Solaris TACACS+ server to the Syslog server.

 

I will appreciate a quick solution.

3 REPLIES 3
Highlighted
VIP Mentor

Add this below line :

 

*.err;kern.debug     @192.168.1.1  (192.168.1.1 is the syslog server where you send the messages - eample sending err and kernel messages to syslog server)

 

restart system-log

 

and test it

 

BB

BB
*** Rate All Helpful Responses ***
Highlighted

Thank you very much @balaji.bandi. I am very grateful. You have given me a great solution.

But if I want to send only AAA events from TACACS+, what syslog facilities do I reference? That is instead of sending kernel and err messages, I send only TACACS+ Authentication and Authorization logs.
Highlighted

logging level aaa 6 

 

BB

BB
*** Rate All Helpful Responses ***
Content for Community-Ad