FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously

[Chris Decker]

All,

I could use some help in understanding my options for the following scenario:
In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client.  In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents.

My question: What is the best way to make both the Ops and Security groups happy given the below limitations:
- The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things.
- The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests.

------

The options we are exploring, in order of preference:
1. "Robust Accounting" - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations.  Is this possible?  Does anyone have a sample config they could share?
2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly.  A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously).
3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file AND send remotely to the Security group.  The Ops group wants to avoid syslog if at all possible.
4. Re-configure FreeRADIUS to also log to MySQL.  The Security group would then have to figure out a way to pull the data out in near-real time and insert it into their own database, which they would like to avoid.



Any comments or suggestions are welcome.




Thanks,
Chris