cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3522
Views
5
Helpful
3
Replies

How do I send TACACS+ logs from TACACS+ Server to a remote Syslog server?

Please, I need an urgent assistance.

 

I am new to TACACS and I have this assignment to come up with a process to send TACACS+ logs from a client's TACACS+ server to a remote Syslog server where we can take the information into our SIEM for correlation and review.

 

A Brief Overview

The client has a couple of CISCO switches. The individual switches in the client's network infrastructure use a Solaris TACACS+ server as the source for authentication. When logging Privileged User activity, our SIEM does not collect logs from any individual switch but collects them from the central TACACS+ server. TACACS+ logs can be retrieved by the SIEM infrastructure based upon the TACAS+ server using the Syslog push file transfer protocol. This method sends log messages from the TACACS+ server to a remote syslog server from where the SIEM will ingest the logs.

 

Request

Please, I need to know the line to add to the Solaris etc/syslog.conf file on the TACACS+ server that will activate the TACACS+ log forwarding from Solaris TACACS+ server to the Syslog server.

 

I will appreciate a quick solution.

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Add this below line :

 

*.err;kern.debug     @192.168.1.1  (192.168.1.1 is the syslog server where you send the messages - eample sending err and kernel messages to syslog server)

 

restart system-log

 

and test it

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you very much @balaji.bandi. I am very grateful. You have given me a great solution.

But if I want to send only AAA events from TACACS+, what syslog facilities do I reference? That is instead of sending kernel and err messages, I send only TACACS+ Authentication and Authorization logs.

logging level aaa 6 

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: