Skip to content
This repository has been archived by the owner on Nov 8, 2023. It is now read-only.

henriots/graylog-tacacs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

_config.yml

_config.yml

 
 

content_pack-tacacs.json

content_pack-tacacs.json

 
 

extractors.json

extractors.json

 
 

tacacs-beats-content_pack.json

tacacs-beats-content_pack.json

 
 

tacacs-beats-extractors

tacacs-beats-extractors

 
 

Repository files navigation

Tacacs+ Content pack for Graylog

Tested with Cisco

If you don't like to use whole content pack, just import the extractors for your Tacacs log input.

Linux config

vim /etc/tacacs+/tac_plus.conf

accounting file = /var/log/tac_plus.acct

RSYSLOG

vim /etc/rsyslog.conf

module(load="imfile" PollingInterval="1") #needs to be done just once

# File 1
	
input(type="imfile"
	
File="/var/log/tac_plus.acct"
	
Tag="tacacs-audit"
	
Severity="info"
	
Facility="local3")

local3.* @<GRAYLOG-SERVER-IP/NAME:4949

FILEBEAT

vim /etc/filebeat/filebeat.yml

filebeat.inputs:

- type: log
  enabled: true
# Paths that should be crawled and fetched. Glob based paths.
  paths:
	    - /var/log/tac_plus.acct
  tail_files: true
output.logstash:
# The Logstash hosts
  hosts: ["<GRAYLOG-SERVER-IP:PORT>"]

About

Tacacs+ Content pack for Graylog

Topics

networking graylog filebeat graylog2 tacacs-plus content-pack

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published