On Oct 20, 2022, at 8:57 AM, Coy Hile <coy.hile@coyhile.com> wrote:
Good morning,
I have an interesting use case for the linelog module. I want to get information about successful and unsuccessful authentication attempts in one place in a format that is easily consumable by, e.g. log shipping tools. So far, I’ve found that I can do a config snippet such as
Access-Accept = "%T Accepted User: %{User-Name} NAS-IP-Address %{NAS-IP-Address} Access-Level: %{Tmp-String-0}”
to get the user, device and access level granted to the engineer.
Is there any way that we could get the VSAs that get returned so we could log them here as well? Sure, we get them in the detailed reply_logs, but those aren’t the most useful thing for a log aggregation tool to parse. If I know the device is, e.g. Cisco or Juniper, I’d just log %{Cisco-AVPair} or %{JunOS-Local-User-Name}, but I’d rather do that in a more vendor-agnostic way if I can.
That's difficult, because there's no easy way to say "all VSAs".
Worst case, I can just use the detail files if necessary and let the log-shipping tool figure it out.
That might be simplest. Alan DeKok.