Correlating request and accept/reject log?

Alan DeKok aland at deployingradius.com
Fri Mar 31 17:32:29 CEST 2017


On Mar 31, 2017, at 11:17 AM, jm+freeradiususer at roth.lu wrote:
> 
>> If you know better than me, why are you asking questions on this list?
> 
> I'm sorry I did not realize there was a "new %n" and an "old %n" (duh). I
> also didn't realize that there is a difference between a "request number"
> and a "request ID". Well, now I do.

  That's fine.  The problem is when you ask a question and get an answer, don't tell me I'm wrong.  Honestly, I have *never* understood that mentality.  It's one thing to say "are you sure?" or "I found X when you said Y, is that the same thing"?

  It's another thing entirely to have a flat-out "No, that's not what you meant".  It's rude.

>> It requires you to read the documentation.
> 
> Ok, let me rephrase my query in a neutral manner. These are the
> documentations that I am currently aware of:
> * The comments in the config files (as they are included with our distort,

  Which is the best and most up to date source of documentation.

> sometimes also a search at
> https://github.com/FreeRADIUS/freeradius-server/ to be on the safe side)

  Which just gets you a fancier search on the same data.

> * http://freeradius.org/radiusd/man/

  Which is just a copy of the "man" pages that come with the server.

> * http://wiki.freeradius.org/...

  That has a lot of information.

> * Searching the mailing list may also prove fruitful

  Mainly for "how do I configure some complex scenario", i.e. use-cases.  As I said already, we don't document every single use-case.  It's impossible.

> * http://networkradius.com/doc/current/ + unfinished docs at the bottom of
> http://networkradius.com/freeradius-documentation/
> * http://deployingradius.com/

  Those are all good.

> Would there be any other resources that you would add to the list?

  No, that's it.

> BTW concerning the last two resources I mentioned, I'm not really sure if
> it's official and/or up-to-date (well it should be since they are
> interlinked).

  Since I wrote all 3 of those last links, yes, they're up to date, they're correct, and there's nothing wrong in them.

>> linelog
> 
> Thank you. I couldn't find anything appropriate at
> http://freeradius.org/radiusd/man/index.html#modules. Well I could just
> have looked in /etc/raddb/mods-available.

  And that's my point.

> Let me provide an example how things are sometimes not clear, maybe you
> can explain how you would have reasoned in this case in order to find the
> solution:

  As a GOOD question on the list:

Q: "Hi, I want to have a file which logs information about the packets.  Ideally, one line per entry.  Also, being able to correlate requests and replies in that file would be useful."

A: use linelog.  Use %n, here's how.

  Instead, you went down a rats nest of detail files, arguing, and searching other documentation.

> As far as logging to SQL is concerned it is indeed not very difficult.
> Here is what I did:
> 1) I installed the freeradius-server-mysql package (depends on your
> distro, if you compile from source you probably have it out-of-the-box)
> 2) I then enabled the mysql module, so far so good
> 3) I inserted "sql" into the post-auth section of the virtual server (and
> also the "Post-Auth REJECT" sub-section)
> 4) To start easily, I decided to have FreeRadius write the SQL queries to
> a file, to that end I uncommented "logfile = ${logdir}/sqllog.sql" in
> /etc/raddb/mods-enabled/sql.
> However, nothing got logged. It turned out you need to uncomment the
> "logfile" entry in the post-auth{} section of
> "/etc/raddb/mods-config/sql/main/mysql/queries.conf".

  In recent versions of the server, the comments about "logfile" in raddb/mods-enabled/sql also tell you to look in the subdirectories.

  Those comments && fixes went in almost 2 years ago.

> So,
> 1) How did I find that out? Well, I saw
> /etc/raddb/mods-config/sql/main/mysql/queries.conf being included at the
> bottom of /etc/raddb/mods-enabled/sql. So I went there and saw that it
> contained a post-auth{} section with a commented "logfile" entry that I
> uncommented. At that point, I was guessing. That's why I'm asking how I
> would have been supposed to find that solution.
> 2) I guess "logfile" from /etc/raddb/mods-enabled/sql then is only used
> when not using rlm_sql_null? Indeed, it makes sense that you don't write
> to disk twice, but c'mon ;-)

  If only there was a newer version of the server available with updated docs, and bugs fixed...

> Please have mercy with the people that didn't actually code this software :)

  My problem is not that you're new to it.  My problem is you ask bad questions, and then argue with the answers.

  If you had asked good questions, you would have had the answer in about 5 minutes.  Again, I have no idea why this is surprising.  This should be a lesson for *you* to ask better questions, not to blame *me* for anything.

  Alan DeKok.




More information about the Freeradius-Users mailing list