FreeRADIUS as accounting relay for syslog
lists+freeradius at daork.net
Sun Mar 17 22:34:44 CET 2019
> On 18/03/2019, at 10:17 AM, R3DNano <r3dnano at gmail.com> wrote:
> There are some radius servers on my network that can't send their
> accounting information to syslog servers (can't talk to syslog, or
> something, don't know the specifics), so I was thinking if it might be
> possible to use my FreeRADIUS setup as a relay to do this job.
> The idea is that these servers could send me their accounting information
> and then use rsyslog to forward the accounting information to another
> remote syslog server.
> So far, I have been able to send local accounting to the remote syslog
> server using rsyslog and a local facility. Is this a good practice? Any
> particular tips on how to proceed?
Sending accounting data to syslog isn’t a “great” idea for most purposes - but depends on your use case.
For some sort of analytics where having every bit of data isn’t important, it’s probably fine. If you’re using it for billing or perhaps IP address usage logging etc. it’s not very good.
In terms of tips, depending on your system you’ll need to look for rate limiters. Not really FreeRADIUS specific, but, hey. If you have a systemd system, there’s a rate limiter in systemd. You’ll also likely find one in rsyslog.
Deduplication may be an issue for you as well (“last message repeated x times”) depending on what data goes in to your messages.
Perhaps you can use a TCP transport, rather than UDP - rsyslog supports that? Depends on your syslog server. You may find your log collection/analytics has a way to do this too - Splunk for example can collect from files, that’s better than normal syslog in a number of ways.
More information about the Freeradius-Users