detail logging not logging?
Hi all. I seem to be missing something somewhere. I'm new to freeradius but I managed to get a system up and running. Here's a copy of my stripped down radiusd.conf. I'm only doing accounting right now so no auth stuff. I know radius itself is working because I can change the secret in the client.conf and I get the errors in the radius.log when the client sends. The issue I'm having now though is that I can't seem to get the detail logging to work so the only time I get any logs is if I purposefully foul something up to cause it to error. Right now I have the detail statement at the bottom of the file. I've tried moving it into the modules section but that didn't make any different. I also tried manually specifying the fully qualified path for the log file as well to no avail. I verified user and group permissions in the necessary directories, but I must still be missing something. Anyone able to point out what's wrong but right under my nose? Also it's worth noting this is running on Solaris10x86 under a zone. ############################################################ ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id$ ## prefix = /opt/freeradius exec_prefix = ${prefix} instance_prefix = /opt/voip/freeradius sysconfdir = ${instance_prefix}/etc localstatedir = ${instance_prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${instance_prefix}/logs raddbdir = ${instance_prefix}/etc radacctdir = ${instance_prefix}/var/radacct # # name of the running server. See also the "-n" command-line option. name = radiusd # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} # # libdir: Where to find the rlm_* modules. # # libdir = ${exec_prefix}/lib # pidfile: Where to place the PID of the RADIUS server. # pidfile = ${run_dir}/${name}.pid # user/group: The name (or #number) of the user/group to run radiusd as. # user = ****** group = ****** # max_request_time: The maximum time (in seconds) to handle a request. # max_request_time = 30 # cleanup_delay: The time to wait (in seconds) before cleaning up cleanup_delay = 5 # max_requests: The maximum number of requests which the server keeps max_requests = 1024 # listen: Make the server listen on a particular IP address, and send listen { type = acct ipaddr = * port = 1813 } # hostname_lookups: Log the names of clients or just their IP addresses hostname_lookups = no # Core dumps are a bad thing. This should only be set to 'yes' allow_core_dumps = no # Regular expressions regular_expressions = yes extended_expressions = yes # # Logging section. The various "log_*" configuration items log { destination = files file = ${logdir}/radius.log syslog_facility = daemon # Log the full User-Name attribute, as it was found in the request. stripped_names = no # Log authentication requests to the log file. auth = no # Log passwords with the authentication requests. auth_badpass = no auth_goodpass = no } # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION security { max_attributes = 200 reject_delay = 1 status_server = yes } # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. proxy_requests = no #$INCLUDE proxy.conf # CLIENTS CONFIGURATION $INCLUDE clients.conf # THREAD POOL CONFIGURATION thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } # MODULE CONFIGURATION modules { # $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf #$INCLUDE sql/postgresql/counter.conf } # Instantiation instantiate { exec expr expiration logintime } ###################################################################### # # Policies that can be applied in multiple places are listed # globally. That way, they can be defined once, and referred # to multiple times. # ###################################################################### $INCLUDE policy.conf #$INCLUDE sites-enabled/ detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d #detailfile = ${radacctdir}/%{NAS-IP-Address}/detail-%Y%m%d #detailfile = ${radacctdir}/detail.log detailperm = 0600 } ########################################################################
Brad Clemmons Jr wrote:
The issue I'm having now though is that I can't seem to get the detail logging to work so the only time I get any logs is if I purposefully foul something up to cause it to error. Right now I have the detail statement at the bottom of the file.
Right there... there's a problem. The default configuration logs to the detail file. There is literally *nothing* you need to do to configure it to log to the detail file.
I've tried moving it into the modules section but that didn't make any different. I also tried manually specifying the fully qualified path for the log file as well to no avail.
Making random changes without understanding how the server works won't help.
I verified user and group permissions in the necessary directories, but I must still be missing something. Anyone able to point out what's wrong but right under my nose?
Also it's worth noting this is running on Solaris10x86 under a zone.
You're either running an old version of the server, OR you've hacked the default configuration files into oblivion.
#$INCLUDE sites-enabled/
detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d #detailfile = ${radacctdir}/%{NAS-IP-Address}/detail-%Y%m%d #detailfile = ${radacctdir}/detail.log detailperm = 0600 }
And... yes. You've completely butchered the default configuration files. Don't do that. Throw away everything you've done. Replace it with the default configuration files. Add a client definition. Run it in debugging mode. Send it accounting packets. Verify that it writes to the detail file. 15 minutes. Tops. What you've done is clearly to make drastic changes to the configuration files without understanding how it works. There *is* documentation on the configuration files. Please *read* it before editing them. There *are* lots of examples. Please read them. Alan DeKok.
Hacking to oblivion...that's an interesting way of putting it. The only things I changed: Changed the directory locations such as prefix and instance_prefix to my locations, Changed user and pass, Changed Listening port, Changed type from authentication to accounting only *Added the detail section at the bottom and configure the directory locations etc... Oh and I turned off proxying, virtualhosting, and added the detail {} section AFTER I had already realized the detail logging didn't seem to be logging anywhere although I could confirm that it was taking the accounting packets since I could see the errors in the radius.log if I set the secret incorrectly. But those 1 or 2 errors were the only logging I could get. The only hacking out of anything I did was to remove the commented sections when I copy/pasted into this email just to keep the email from growing insanely long. Also this is version 2.1.3(since I managed to forget to add that info originally. But I will do as you suggested anyway. Here's a diff of my edited radiusd.conf and the original radiusd.conf(COMPLETELY UNMODIFIED - /opt/freeradius/etc/raddb/radiusd.conf): bash-3.00# diff radiusd.conf /opt/freeradius/etc/raddb/radiusd.conf 54c54 < prefix = /opt/freeradius ---
prefix = /opt/freeradius-2.1.3 56,58c56,57 < instance_prefix = /opt/voip/freeradius < sysconfdir = ${instance_prefix}/etc < localstatedir = ${instance_prefix}/var
sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var 60,62c59,61 < logdir = ${instance_prefix}/logs < raddbdir = ${instance_prefix}/etc < radacctdir = ${instance_prefix}/var/radacct
logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct 70c69 < run_dir = ${localstatedir}/run
run_dir = ${localstatedir}/run/radiusd 168,169c167,168 < user = ******* < group = *******
#user = radius #group = radius 252c251 < type = acct
type = auth
277c276 < port = 1813 ---
port = 0
309,310c308,309 < #listen { < # ipaddr = * ---
listen { ipaddr = * 312,313c311,312 < # port = 0 < # type = acct
port = 0 type = acct
316c315 < #} ---
} 526,527c525,526 < proxy_requests = no < #$INCLUDE proxy.conf
proxy_requests = yes $INCLUDE proxy.conf 780,816c779 < #$INCLUDE sites-enabled/ < < detail { < # Note that we do NOT use NAS-IP-Address here, as < # that attribute MAY BE from the originating NAS, and < # NOT from the proxy which actually sent us the < # request. The Client-IP-Address attribute is ALWAYS < # the address of the client which sent us the < # request. < # < # The following line creates a new detail file for < # every radius client (by IP address or hostname). < # In addition, a new detail file is created every < # day, so that the detail file doesn't have to go < # through a 'log rotation' < # < # If your detail files are large, you may also want < # to add a ':%H' (see doc/variables.txt) to the end < # of it, to create a new detail file every hour, e.g.: < # < # ..../detail-%Y%m%d:%H < # < # This will create a new detail file for every hour. < # < detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d < #detailfile = ${radacctdir}/%{NAS-IP-Address}/detail-%Y%m%d < #detailfile = ${radacctdir}/detail.log < < # < # The Unix-style permissions on the 'detail' file. < # < # The detail file often contains secret or private < # information about users. So by keeping the file < # permissions restrictive, we can prevent unwanted < # people from seeing that information. < detailperm = 0600 < }
$INCLUDE sites-enabled/
On Fri, Jan 16, 2009 at 12:39 PM, Alan DeKok <aland@deployingradius.com>wrote:
Brad Clemmons Jr wrote:
The issue I'm having now though is that I can't seem to get the detail logging to work so the only time I get any logs is if I purposefully foul something up to cause it to error. Right now I have the detail statement at the bottom of the file.
Right there... there's a problem.
The default configuration logs to the detail file. There is literally *nothing* you need to do to configure it to log to the detail file.
I've tried moving it into the modules section but that didn't make any different. I also tried manually specifying the fully qualified path for the log file as well to no avail.
Making random changes without understanding how the server works won't help.
I verified user and group permissions in the necessary directories, but I must still be missing something. Anyone able to point out what's wrong but right under my nose?
Also it's worth noting this is running on Solaris10x86 under a zone.
You're either running an old version of the server, OR you've hacked the default configuration files into oblivion.
#$INCLUDE sites-enabled/
detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d #detailfile = ${radacctdir}/%{NAS-IP-Address}/detail-%Y%m%d #detailfile = ${radacctdir}/detail.log detailperm = 0600 }
And... yes. You've completely butchered the default configuration files.
Don't do that.
Throw away everything you've done. Replace it with the default configuration files. Add a client definition. Run it in debugging mode. Send it accounting packets. Verify that it writes to the detail file.
15 minutes. Tops.
What you've done is clearly to make drastic changes to the configuration files without understanding how it works. There *is* documentation on the configuration files. Please *read* it before editing them. There *are* lots of examples. Please read them.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Brad Clemmons Jr wrote:
Hacking to oblivion...that's an interesting way of putting it.
Well... it clearly doesn't work, does it?
The only things I changed:
I didn't ask what you changed. I gave you a list of the minimal changes necessary to make it works. You've done a lot more than that. You can stick with what you've done, which you admit doesn't work. Or, you can follow instructions.
Changed the directory locations such as prefix and instance_prefix to my locations,
That shouldn't be necessary.
Changed user and pass, Changed Listening port, Changed type from authentication to accounting only
That shouldn't be necessary.
*Added the detail section at the bottom and configure the directory locations etc...
That's completely wrong. As I suggested, see the examples that come with the server for how to *correctly* configure it.
Oh and I turned off proxying, virtualhosting,
Why? Do you understand what the side-effects of that are?
and added the detail {} section AFTER I had already realized the detail logging didn't seem to be logging anywhere although I could confirm that it was taking the accounting packets since I could see the errors in the radius.log if I set the secret incorrectly. But those 1 or 2 errors were the only logging I could get.
Because you butchered the default configuration. You removed the configuration that told it use the "detail" file when receiving accounting records. You added a useless "detail" section at the bottom of "radiusd.conf". If you *read* the default configuration files, you will see that there is a structure to them. Adding random configurations at random places in the files won't work.
The only hacking out of anything I did was to remove the commented sections when I copy/pasted into this email just to keep the email from growing insanely long.
You can believe that, or you can believe my description of the changes you *admit* to making. Changes you *admit* don't work. If you think what you've done is fine, then it is impossible for me to help you. If you are willing to follow instructions, then you will solve the problem. In *less* time than it takes to argue about it on this list. Alan DeKok.
participants (2)
-
Alan DeKok -
Brad Clemmons Jr