Loging of proxied requests
listuser at peternixon.net
Thu Aug 10 15:57:59 CEST 2006
On Thu 10 Aug 2006 13:52, Mike Mitchell wrote:
> > > Peter Nixon wrote:
> > > > Wouldn't it be better for us to be a bit more concise
> > about things? for
> > > > example:
> > > >
> > > > Mon Aug 7 20:18:40 2006 : Auth: Login incorrect (realm:
> > myrealm proxy:
> > > > myproxy): [peter/peter] (from client NAS1 port 60000 cli XXXXXXXX)
> Yeah, we do similar things, but worse! I hate legacy systems!
> I've modified our source so that it puts the Reply-Message (if it exists)
> in the Login incorrect message. eg:
> Mon Aug 7 20:18:40 2006 : Auth: Login incorrect (Home server says so:
> Account Disabled) [peter] (from client NAS1 port 60000 cli XXXXXXXX)
> As we migrate away from legacy systems it gives us a single point of
> reference for authentication success/failures and the reasons.
> I think it could be very handy to have this log message more configurable,
> but I'm not sure what overhead that would add, its at least another call to
> xlat, and on a busy system this log is written out a lot!
Heh. Yeah. Well, in my case they are customers not legacy systems. We are
basically acting as a AAA clearing house (or something).
I think such a patch certainly bears testing. The more relevant info you can
give to an admin, the better he can do his job, and faster machines are
cheaper than more admins! In any case I have not so far ever managed to
stress FreeRADIUS... It's always been the backend that is working hard, not
radiusd which rarely takes more than 1% of CPU. In a pure proxy environment
that of course doesn't apply, but given that the SunFire (Opteron) boxes I
use only run about $1000, adding an extra 2 (or 10) doesn't really cost
allot. (Adding new database servers on the other hand is a different matter)
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Freeradius-Devel