puzzled by unusual freeradius log format
andris at everylayer.com
Fri Jun 15 18:57:37 CEST 2018
I'm trying to process freeradius logs into logstash / elasticsearch. I'm
finding that the log format of my freeradius server seems different from
the standard freeradius log examples I'm seeing in search results
The freeradius log lines are multiline with indentation *but* each line of
a multiline event begins with a (nnnnnn) index number prior to the
indentation for example:
(65216309) Received Accounting-Request Id 151 from 10.5.0.102:17420 to
10.5.0.172:2813 length 469
(65216309) Acct-Status-Type = Interim-Update
(65216309) User-Name = "60:21:01:9f:9c:54"
(65216309) Framed-IP-Address = 10.80.137.221
(65216309) Calling-Station-Id = "60:21:01:9f:9c:54"
I can't seem to find explanation of this format in freeradius docs or what
this leading number represents, and I can't seem to find where it is
configured. Can anyone help me understand where these (nnnnn) index
numbers come from in the logs? Ultimately my goal is correctly reassembling
these lines in ELK using multiline processing.
My freeradius server OS is CentOS Linux release 7.4.1708
My freeradius version is freeradius-3.0.15-5.el7.centos.x86_64
Andris Bjornson | EveryLayer <http://www.everylayer.com/>
More information about the Freeradius-Users