Commands visibility in syslog files

Kamal_M · August 27, 2018, 12:10pm

@Team confd,

we have commands in config & exec mode which upon applying can be seen in audit.log file.

Example:
config mode cmds:
network vrf <vrf_name> vpn-id

exec mode:
config terminal
show running
show running | include router

Requirement:
Do we have facility to send these logs to syslog files ?

Thanks in advance,
Kamal

waitai · August 27, 2018, 4:45pm

Certain logs, such as ConfD’s daemon log, can be configured through confd.conf to be sent to syslog. However, there is no such support for the audit log. What you can do is to subscribe to the CONFD_NOTIF_AUDIT message and make a call to syslog with the necessary audit log related information you are interested in in order to get them in syslog. You can find information on how to subscribe to the CONFD_NOTIF_AUDIT message in the example under examples.confd/misc/notifications.

per · August 27, 2018, 8:53pm

The audit log can also be configured to be sent to syslog - from the confd.conf(5) manual page:

   /confdConfig/logs/auditLog - container element
       auditLog is an audit log recording successful and failed logins to
       the ConfD backplane. This log is enabled by default. In all other
       regards it can be configured as /confdConfig/logs/confdLog. This
       log is not rotated, i.e. use logrotate(8).

and:

   /confdConfig/logs/confdLog/syslog/enabled (boolean) [false]
       enabled is either "true" or "false". If "true", syslog messages are
       sent.

I.e. just set /confdConfig/logs/auditLog/syslog/enabled to “true”.

Kamal_M · August 28, 2018, 10:46am

per,

we tried changes as suggested by you.
Basically we edited xml file as mentioned below:

    <auditLog>
        <enabled>true</enabled>
        <file>
            <enabled>true</enabled>
            <name>/var/opt/nec/vcpe/log/audit.log</name>
        </file>
        <syslog>
        <file>
            <enabled>true</enabled>
            <name>/var/opt/nec/vcpe/log/audit_syslog.log</name>
        </file>
        </syslog>
    </auditLog>

But we are not able to see audit_syslog.log created after rebooting the system.

per · August 28, 2018, 7:45pm

No, that was not what I suggested. But more importantly, I think you need to read up on what syslog actually is and how it works before attempting to use it. The basic idea is that applications such as ConfD send log messages to a syslog server, and the syslog server’s configuration determines what to do with the messages. Applications do not tell the syslog server what file to write the messages to, or even that they should be written to a file at all. That way you get centralized management of the logging for all applications, as well as for the OS itself.

To be specific, I suggested that you set /confdConfig/logs/auditLog/syslog/enabled to “true”. In the above xml, you are attempting to set /confdConfig/logs/auditLog/syslog/file/enabled and /confdConfig/logs/auditLog/syslog/file/name, neither of which exist in the confd.conf schema. ConfD won’t even start if given such an invalid config, just give an error message and terminate. You can have a look at confd.conf in e.g. one of the “intro” examples in the release, it seems they are all setup to send the audit log to both file and syslog.

Kamal_M · August 29, 2018, 8:02am

per,

with the below change issue has been resolved.

    <auditLog>
        <enabled>true</enabled>
        <file>
            <enabled>true</enabled>
            <name>/var/opt/nec/vcpe/log/audit.log</name>
        </file>
        <syslog>
            <enabled>true</enabled>
        </syslog>
    </auditLog>

We are able to see audit logs in syslog file (/var/log/messages) .

Regards,
Kamal

Kamal_M · August 29, 2018, 8:10am

@per, @waitai,

We have below requirement too,

As communicated earlier audit logs are logged to syslog, we have the same requirement for tacacs also.
do we have such facility ?

I have gone though info as mentioned in the below post.

It basically explains authentication related stuff but not logging.

Could you please provide some information.

Thanks in advance,
Kamal

per · August 29, 2018, 9:23am

Great! Now you can also optionally make use of the syslog functionality that does allow applications to pass info that helps the syslog server make decisions about how to process the log messages, by setting the facility. Setting /confdConfig/logs/auditLog/syslog/facility to “authpriv” should be appropriate - this will probably make your syslog server write the audit messages to /var/log/auth.log or something like that, instead of /var/log/messages. (The default facility is “daemon”.)

per · August 29, 2018, 9:29am

I’m not sure what you are asking about here - ConfD’s audit-logging of CLI commands is not dependant on how authentication was done (local/PAM/external). The audit-logging of the actual authentication and group assignment is also done regardless of the authentication method. If your TACACS+ server does some logging, that is obviously outside of ConfD’s control.

Kamal_M · September 4, 2018, 6:26am

@per, @waitai
I just want to make it simple.

We have enabled tacacs server in one machine & client in another.
We track activity done in client by sending all the information to server. activity here is all the commands applied on bash(ls, cd, vim etc.).
same way we need to track all the commands applied on configuration & exec mode (commands as mentioned in above messages).
This is related to TACACS+ Accounting, do we have such facility.

Please let me know whether my explanation is clear.

Thanks,
Kamal

per · September 4, 2018, 9:04am

I believe you should subscribe to the audit log messages via confd_notifications_connect() with CONFD_NOTIF_AUDIT, and forward them to the TACACS+ server. See the Notifications chapter in the User Gudie, the confd_lib_events(3) manual page, and the misc/notifications example.