GitHub - henriots/graylog-tacacs: Tacacs+ Content pack for Graylog

Tacacs+ Content pack for Graylog

Tested with Cisco

If you don't like to use whole content pack, just import the extractors for your Tacacs log input.

Linux config

vim /etc/tacacs+/tac_plus.conf

accounting file = /var/log/tac_plus.acct

RSYSLOG

vim /etc/rsyslog.conf

module(load="imfile" PollingInterval="1") #needs to be done just once

# File 1
	
input(type="imfile"
	
File="/var/log/tac_plus.acct"
	
Tag="tacacs-audit"
	
Severity="info"
	
Facility="local3")

local3.* @<GRAYLOG-SERVER-IP/NAME:4949

FILEBEAT

vim /etc/filebeat/filebeat.yml

filebeat.inputs:

- type: log
  enabled: true
# Paths that should be crawled and fetched. Glob based paths.
  paths:
	    - /var/log/tac_plus.acct
  tail_files: true
output.logstash:
# The Logstash hosts
  hosts: ["<GRAYLOG-SERVER-IP:PORT>"]

Name		Name	Last commit message	Last commit date
Latest commit History 19 Commits
LICENSE		LICENSE
README.md		README.md
_config.yml		_config.yml
content_pack-tacacs.json		content_pack-tacacs.json
extractors.json		extractors.json
tacacs-beats-content_pack.json		tacacs-beats-content_pack.json
tacacs-beats-extractors		tacacs-beats-extractors

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Linux config

RSYSLOG

FILEBEAT

About

Releases

Packages

License

henriots/graylog-tacacs

Folders and files

Latest commit

History

Repository files navigation

Linux config

RSYSLOG

FILEBEAT

About

Topics

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Packages