Disable accounting logging
Patrick Oberli
patrick.oberli at ost.ch
Fri Jun 4 15:16:52 CEST 2021
Hello Alan
Sorry, wasn't aware that there are different kinds of accounting logs. The logs that were filling the disk and which I forgot to mention in the previous mail (sorry!) were under /var/log/freeradius/radacct/.
Anyway thanks for your answer, that actually helped me finding what to look out for in the debug log.
Surprise surprise, I had to disable the lines marked with "# if you want detailed logging" under post-auth, pre-proxy and post-proxy.
So the configuration looks like this now (if anybody else needs this for his eduroam configuration in the future):
server eduroam {
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipv6addr = ::
port = 0
}
listen {
type = "acct"
ipv6addr = ::
port = 0
}
authorize {
# only use filter_username from version > 3.0.7 on
filter_username
update request {
Operator-Name := "1domain.tld" #adjust for your domain
# the literal number "1" above is an important prefix! Do not change it!
}
# if you want detailed logging
auth_log
suffix
}
authenticate {
}
preacct {
suffix
}
accounting {
}
post-auth {
# if you want detailed logging
#reply_log
Post-Auth-Type REJECT {
# reply_log
}
}
pre-proxy {
# if you want detailed logging
#pre_proxy_log
if("%{Packet-Type}" != "Accounting-Request") {
attr_filter.pre-proxy
}
update proxy-request {
NAS-Port-Type := 19
}
}
post-proxy {
# if you want detailed logging
#post_proxy_log
attr_filter.post-proxy
}
}
The lines from the debug output that helped me:
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
Kind regards
Patrick
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+patrick.oberli=ost.ch at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Freitag, 4. Juni 2021 14:50
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Disable accounting logging
On Jun 4, 2021, at 8:27 AM, Patrick Oberli <patrick.oberli at ost.ch> wrote:
> I'm currently trying to disable accounting logging on a Freeradius 3.0 installation, which I exclusively use as an eduroam radius proxy (https://wiki.geant.org/display/H2eduroam/freeradius-sp).
> On my old 2.x installation I did not get any accounting logging, but I don't know why it is generated now in 3.0.
> My configuration of the sites-enabled/eduroam is exactly as shown at that site. The accounting section looks like this:
> accounting {
> }
That's nice. See http://wiki.freeradius.org/list-help
We don't need to see configuration files. We need to see debug output.
> The accounting log is now filling my disk
WHAT accounting log? The server can produce many different kinds of outputs. If you know what logs are produced, you know what module produced them. And then you know how to disable them.
> (it's also not compressed, unlike the radius.log file). I don't need the accounting logs as there should be no accounting at all.
> The only other link in sites-enabled is the default file. I did uncomment the word "detail" in the accounting section there and restarted the service, but it continued to log accounting information.
If only there was some kind of debug output which could help here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list