Correlating request and accept/reject log?

jm+freeradiususer at roth.lu jm+freeradiususer at roth.lu
Fri Mar 31 14:33:51 CEST 2017


>> Hmm, you mean "%I" (request ID)? (-->
>> https://wiki.freeradius.org/config/run_time_variables)

>  No.

Yes you do. However it seems the wiki was not up-to-date. I see it has
been corrected and is now correctly documented as %n just as you said,
thanks.

>> How would you include it? The ID is present neither in my auth nor
>> reply/reject log. I tried using "header = ..."

> What does that mean?

It means that in order to get a log with the information I want I tried
using the header statement in the detail log definition like so:

detail auth_log {
  filename =
${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

  #
  #  This MUST be 0600, otherwise anyone can read
  #  the users passwords!
  permissions = 0600

  # You may also strip out passwords completely
  suppress {
    User-Password
  }

  header = "%t %n"
}

However, freeradius then starts rejecting every request. But we do not
necessarily need to investigate because of what you wrote after that:

>> Ideally one would have one log entry (or even inject into SQL), with one
>> entry per event (all the info present in the request + the decision
>> whether it was accepted or rejected...)

>  That's easy to do

Ok :) How? If you could kindly direct me to the appropriate docs. In fact,
if you could kindly direct me to a single point of exhausting docs with
examples please.

>>  filename =
>> ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

>  See all of the %-things here?  Add %n.  It's that easy.   Each request
will be logged to it's own filename.

I don't want one file per request. I want (ideally) one file that contains
one line per request/action taken, much like the file generated by using
the "requests" statement in the virtual server's log{} section. However
the virtual server's log section does not allow to log specifically
defined fields into a DB therefore I guess this has to be done some other
way.

Thanks.



More information about the Freeradius-Users mailing list