FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
csd126 at psu.edu
Thu Sep 5 19:29:05 CEST 2013
I could use some help in understanding my options for the following scenario:
In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents.
My question: What is the best way to make both the Ops and Security groups happy given the below limitations:
- The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things.
- The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests.
The options we are exploring, in order of preference:
1. "Robust Accounting" - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share?
2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously).
3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file AND send remotely to the Security group. The Ops group wants to avoid syslog if at all possible.
4. Re-configure FreeRADIUS to also log to MySQL. The Security group would then have to figure out a way to pull the data out in near-real time and insert it into their own database, which they would like to avoid.
Any comments or suggestions are welcome.
More information about the Freeradius-Users