Best practices for logging in production environment?

Angel L. Mateo amateo at um.es
Fri Mar 27 13:14:31 CET 2015 

El 27/03/15 a las 01:12, Mohamed Lrhazi escribió:
> Thanks Matthew.
>
> Adding it to inner-tunnel did indeed make my log:
>
>
> 2015-03-26 20:02:49: Access-Reject: r="mschap: MS-CHAP2-Response is
> incorrect" u=wire...
> 2015-03-26 20:02:49: Access-Reject: r="eap: Failed continuing EAP PEAP (25)
> session. EAP sub-module failed" u=wire...
>
> in inner-tunel I have:
>
> post-auth {
>                  linelog
>                  #reply_log
>                  -sql
>                  Post-Auth-Type REJECT {
>                          linelog
>                          #reply_log
>                          -sql
>                          attr_filter.access_reject
>                  }
>          }
>
>
> In -X, I do see:
>
> Login incorrect (mschap: MS-CHAP2-Response is incorrect): [ml623]
>
>
> So, ideally, I would prefer something like this in my resulting log:
>
> 2015-03-26 20:02:49: Access-Reject: r="Login incorrect (mschap:
> MS-CHAP2-Response is incorrect)"
>
	You can update the Module-Failure-Message just before the linelog with 
something like:

post-auth {
   Post-Auth-Type REJECT {
     update {
       Module-Failure-Message := "Login incorrect: 
%{Module-Failure-Message}"
     }
   }
   linelog
   ...
}

	What I don't is if there is any variable in the response already 
containing the "Login incorrect" string showed with -X option.
> But this is much better than what I had started with. Thanks a lot.
>
> Mohamed.
>
>
>
>
>
>
> On Thu, Mar 26, 2015 at 7:42 PM, Matthew Newton <mcn4 at leicester.ac.uk>
> wrote:
>
>> On Thu, Mar 26, 2015 at 07:24:24PM -0400, Mohamed Lrhazi wrote:
>>> I see that if run with -X, I see this log:
>>>
>>> (23)  } #  authenticate = invalid
>>> (23) Failed to authenticate the user.
>>> (23) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP
>>> sub-module failed): [ml623] (from client gu_net_141_161 port 0 cli
>>> 02-00-00-00-00-01)
>>> (23) Using Post-Auth-Type Reject
>>> (23) # Executing group from file /etc/freeradius/sites-enabled/default
>>
>> If you're logging that in the default (outer) server, try logging
>> it from the inner-tunnel post-auth, just after you've done the
>> actual authentication?
>>
>> If that comes up with what you're after, you can use unlang to
>> copy the Module-Failure-Message to the outer request for logging
>> there if you prefer.
>>
>> Matthew
>>
>>
>> --
>> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>>
>> Systems Specialist, Infrastructure Services,
>> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>>
>> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337

More information about the Freeradius-Users mailing list