puzzled by unusual freeradius log format
Alan Buxey
alan.buxey at gmail.com
Fri Jun 15 22:12:00 CEST 2018
Recent change, the number being the session since start
alan
On Fri, 15 Jun 2018, 17:57 Andris Bjornson, <andris at everylayer.com> wrote:
> Hello,
>
> I'm trying to process freeradius logs into logstash / elasticsearch. I'm
> finding that the log format of my freeradius server seems different from
> the standard freeradius log examples I'm seeing in search results
>
> The freeradius log lines are multiline with indentation *but* each line of
> a multiline event begins with a (nnnnnn) index number prior to the
> indentation for example:
>
>
> (65216309) Received Accounting-Request Id 151 from 10.5.0.102:17420 to
> 10.5.0.172:2813 length 469
> (65216309) Acct-Status-Type = Interim-Update
> (65216309) User-Name = "60:21:01:9f:9c:54"
> (65216309) Framed-IP-Address = 10.80.137.221
> (65216309) Calling-Station-Id = "60:21:01:9f:9c:54"
>
> I can't seem to find explanation of this format in freeradius docs or what
> this leading number represents, and I can't seem to find where it is
> configured. Can anyone help me understand where these (nnnnn) index
> numbers come from in the logs? Ultimately my goal is correctly reassembling
> these lines in ELK using multiline processing.
>
> My freeradius server OS is CentOS Linux release 7.4.1708
> My freeradius version is freeradius-3.0.15-5.el7.centos.x86_64
>
> Thanks much!
>
> Andris
>
> ---
> Andris Bjornson | EveryLayer <http://www.everylayer.com/>
> skype: andris.bjornson
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list