Configurable Logging

Nicolas Baradakis nbk at
Sat Sep 23 19:06:09 CEST 2006

Peter Nixon wrote:

> OK. No replies, so here is there patch.
> The upside of this patch is that you can use any radius attribute in 
> auth/proxy logs. The existing format can be achieved with:
> log_auth_format = "[%{User-Name}] (from client %C port %{NAS-Port} 
> cli %{Calling-Station-Id})"

This should be the default value in instead of the
string found in the patch.

> Is anyone vehmently against this patch or should I go ahead and commit it?

I think the patch could be less intrusive. If the log message is
xlat'ed in the rad_authlog() function, you don't need a new logging
function. Having one more logging function is more maintaining work,
and it makes it more difficult to switch to a newer logging mechanism
in the future. (like Alan suggested in a previous email)

I also note this patch doesn't use the same format for successful
and failed login attempts. And it seems to me it doesn't print the
password if "log_auth_goodpass" is set to "yes". OTOH you could put
the User-Password attribute directly in the string. Does this make
the "log_auth_goodpass" option obsolete?

Until this question is answered, I see two different ways to do
configurable logging in radiusd.conf.

The first one uses a set of 4 options:

  log_auth = yes
  log_auth_badpass = yes
  log_auth_goodpass = yes
  # Append any attributes after the username and (eventually) the password
  log_auth_append = "from client %C port %{NAS-Port} cli %{Calling-Station-Id}"

The second one uses only 2 options:

  # Log authentication without showing the passwords
  log_auth_accept = "[%{User-Name:-<no User-Name attribute>}] (from client %C port %{NAS-Port} cli %{Calling-Station-Id})"
  log_auth_reject = "[%{User-Name:-<no User-Name attribute>}] (from client %C port %{NAS-Port} cli %{Calling-Station-Id})"

  # The options "log_auth_goodpass" and "log_auth_badpass" are deprecated
  # but you can still write
  log_auth_accept = "[%{User-Name:-<no User-Name attribute>}/%{User-Password:-<CHAP-Password>}] (from client %C port %{NAS-Port} cli %{Calling-Station-Id})"
  log_auth_reject = "[%{User-Name:-<no User-Name attribute>}/%{User-Password:-<CHAP-Password>}] (from client %C port %{NAS-Port} cli %{Calling-Station-Id})"

  # Authentication logging is disabled
  log_auth_accept = ""
  log_auth_reject = ""

Nicolas Baradakis

More information about the Freeradius-Devel mailing list