linelog best practice

Matthew Newton mcn4 at leicester.ac.uk
Tue Jan 24 13:22:55 CET 2017


On Tue, Jan 24, 2017 at 10:52:32AM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> use Module-Failure-Message  - but also look at the 3.0.x HEAD from git or wait until 3.0.13
> comes out as Matthew has ensures theres a good starting point for the ELK crowd  :)

Yeah, to be honest rather than trying to write out JSON with
linelog personally I'd just look at reading the plain detail files
with logstash and using that to write them out as JSON. You might
be fine, but then some joker will come along and try to log in
with a username like 'silly"json'...

Should probably at least wrap all the attributes in
%{jsonquote:...} to be safe.

"rlm_jsonlog" is something I've thought about for a while. Just
not sure it's worth it. Might be if I can then use that to feed
directly into elasticsearch and skip the logstash bit.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list