puzzled by unusual freeradius log format
Alan DeKok
aland at deployingradius.com
Fri Jun 15 22:11:41 CEST 2018
On Jun 15, 2018, at 12:57 PM, Andris Bjornson <andris at everylayer.com> wrote:
> I'm trying to process freeradius logs into logstash / elasticsearch. I'm
> finding that the log format of my freeradius server seems different from
> the standard freeradius log examples I'm seeing in search results
>
> The freeradius log lines are multiline with indentation *but* each line of
> a multiline event begins with a (nnnnnn) index number prior to the
> indentation for example:
>
> (65216309) Received Accounting-Request Id 151 from 10.5.0.102:17420 to
> 10.5.0.172:2813 length 469
> (65216309) Acct-Status-Type = Interim-Update
That's the normal debug output. The digits are the request number.
> I can't seem to find explanation of this format in freeradius docs or what
> this leading number represents, and I can't seem to find where it is
> configured. Can anyone help me understand where these (nnnnn) index
> numbers come from in the logs? Ultimately my goal is correctly reassembling
> these lines in ELK using multiline processing.
The lines which begin with the same number all belong to the same request. The number is unique for every request.
Alan DeKok.
More information about the Freeradius-Users
mailing list