FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Chris Decker
csd126 at psu.edu
Thu Sep 5 19:29:05 CEST 2013
All,
I could use some help in understanding my options for the following scenario:
In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents.
My question: What is the best way to make both the Ops and Security groups happy given the below limitations:
- The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things.
- The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests.
------
The options we are exploring, in order of preference:
1. "Robust Accounting" - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share?
2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously).
3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file AND send remotely to the Security group. The Ops group wants to avoid syslog if at all possible.
4. Re-configure FreeRADIUS to also log to MySQL. The Security group would then have to figure out a way to pull the data out in near-real time and insert it into their own database, which they would like to avoid.
Any comments or suggestions are welcome.
Thanks,
Chris
More information about the Freeradius-Users
mailing list