Syslog and FreeRADIUS

Discussion:

Jonathan Gazeley

2009-07-03 15:01:13 UTC

Hi all,

I've decided to move logging on my radius boxes to a pair of syslog
servers, rather than stored locally. I'm using rsyslog to send the logs
over the network.

I follow this guide http://wiki.freeradius.org/Syslog_HOWTO but it seems
to be for an old version of FreeRADIUS. I have managed to get FreeRADIUS
to send syslog packets to my syslog hosts; however I can't tell how to
specifically split out the FreeRADIUS syslog packets.

The wiki page suggests local1.* but this isn't matching the right
packets. I'm running FreeRADIUS 2.1.6 so if anyone has a snippet of
their rsyslog.conf or can simply say how to match the radius syslog
packets, I'd be very grateful.

Cheers,
Jonathan

----------------------------
Jonathan Gazeley
Systems Support Specialist
ResNet | Wireless& VPN Team
Information Services
University of Bristol
----------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2009-07-03 15:52:01 UTC

Permalink

Post by Jonathan Gazeley
I've decided to move logging on my radius boxes to a pair of syslog
servers, rather than stored locally. I'm using rsyslog to send the logs
over the network.

It's a good tool.

Post by Jonathan Gazeley
I follow this guide http://wiki.freeradius.org/Syslog_HOWTO but it seems
to be for an old version of FreeRADIUS. I have managed to get FreeRADIUS
to send syslog packets to my syslog hosts; however I can't tell how to
specifically split out the FreeRADIUS syslog packets.

See the "programname" directive in the rsyslog configuration. It will
be the name of the daemon (radiusd or freeradiusd)

Post by Jonathan Gazeley
The wiki page suggests local1.* but this isn't matching the right
packets. I'm running FreeRADIUS 2.1.6 so if anyone has a snippet of
their rsyslog.conf or can simply say how to match the radius syslog
packets, I'd be very grateful.

Once you get it working, send it to the list, and we'll add it to the
next release.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jonathan Gazeley

2009-07-06 14:48:56 UTC

Permalink

Further to my previous query I've got global server messages being
syslogged to my log hosts.

However, all of my radius magic happens inside virtual servers, which
live in sites-available. I haven't been able to get any syslog packets
sent from within these virtual servers.

I've tried creating a log{} section at the top of the virtual server
containing the same directives as radiusd.conf but this didn't work.

I created a module again with the same directives as radiusd.conf - this
also didn't work.

I referenced the stuff in both cases in the normal places in my virtual
server

The server doesn't give any error messages and starts normally with
these directives in place - it just doesn't send any syslog packets.

Has anyone on the list sent syslog packets from within radius virtual
servers? Any guidance would be much appreciated.

Thanks,
Jonathan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2009-07-06 15:35:44 UTC

Permalink

Post by Jonathan Gazeley
However, all of my radius magic happens inside virtual servers, which
live in sites-available. I haven't been able to get any syslog packets
sent from within these virtual servers.

The "log" section is global. See raddb/sites-available/README for a
definitive list of which sections can appear inside of a "server" section.

Post by Jonathan Gazeley
Has anyone on the list sent syslog packets from within radius virtual
servers? Any guidance would be much appreciated.

Doing this will require source code changes.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jonathan Gazeley

2009-07-06 15:53:32 UTC

Permalink

Post by Alan DeKok

The "log" section is global. See raddb/sites-available/README for a
definitive list of which sections can appear inside of a "server" section.

OK, thanks. If the "log" section is global, should I simply be able to
insert the word "log" into my virtual servers? Doing so causes the
server to not start:

radiusd[9868]: /usr/local/etc/raddb/sites-enabled/uobresnet[34]: Failed
to find module "log".
radiusd[9868]: /usr/local/etc/raddb/sites-enabled/uobresnet[20]: Errors
parsing authorize section.

Ultimately what I'm after is the ability to send detail logs to syslog
rather than have them written to a file. Perhaps I've been asking the
wrong questions so far, or in the wrong way :)

Cheers,
Jonathan

A***@lboro.ac.uk

2009-07-06 16:02:57 UTC

Permalink

Hi,

Post by Jonathan Gazeley

Post by Alan DeKok
The "log" section is global. See raddb/sites-available/README for a
definitive list of which sections can appear inside of a "server" section.

OK, thanks. If the "log" section is global, should I simply be able to
insert the word "log" into my virtual servers? Doing so causes the

no, the log section is global - and therefore cannot go into
a virtual server - it fails if you do that (as you've seen)

Post by Jonathan Gazeley
Ultimately what I'm after is the ability to send detail logs to syslog
rather than have them written to a file. Perhaps I've been asking the
wrong questions so far, or in the wrong way :)

whoa. thats completely different to what the current server does,
virtual or not. what details do you want to syslog?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jonathan Gazeley

2009-07-06 16:15:00 UTC

Permalink

Post by A***@lboro.ac.uk

whoa. thats completely different to what the current server does,
virtual or not. what details do you want to syslog?

--
----------------------------
Jonathan Gazeley
Systems Support Specialist
ResNet | Wireless& VPN Team
Information Services
University of Bristol
----------------------------

Ted Behling

2009-07-06 16:16:59 UTC

Permalink

Jonathan,

I'm actually planning to roll out RADIUS on a virtualization platform
too, probably Xen. Could you share what VM platform you're using?
Thanks!

Ted

________________________________

From:
freeradius-users-bounces+ted.behling=***@lists.freeradius.or
g
[mailto:freeradius-users-bounces+ted.behling=***@lists.freer
adius.org] On Behalf Of Jonathan Gazeley
Sent: Monday, July 06, 2009 12:15 PM
To: FreeRadius users mailing list
Subject: Re: Syslog and FreeRADIUS

On 07/06/2009 05:02 PM, ***@lboro.ac.uk wrote:

Ultimately what I'm after is the ability to send detail
logs to syslog
rather than have them written to a file. Perhaps I've
been asking the
wrong questions so far, or in the wrong way :)

whoa. thats completely different to what the current server
does,
virtual or not. what details do you want to syslog?

For a start I want to syslog the stuff that usually goes into radius.log
- so the messages when the server starts (which are already being
syslogged successfully) and the summary line (Auth: Login OK) printed
after an authentication (which are currently not being sent to syslog).

I also want to syslog the stuff that normally gets filed away under
/var/log/radius/radacct - so details of radius packets for debugging.

The reason for wanting to send everything to a log host on the network
is that the new generation of radius servers we are preparing are all
virtualised and only have a few GB of disk - so no room for logs.

Cheers,
Jonathan

--
----------------------------
Jonathan Gazeley
Systems Support Specialist
ResNet | Wireless & VPN Team
Information Services
University of Bristol
----------------------------

Jonathan Gazeley

2009-07-06 16:19:33 UTC

Permalink

Hi Ted,

We are using VMWare ESXi on our hypervisors. There's no need to run a
host OS and it's easy to set up. We haven't encountered any problems to
speak of. The guest OS that the radius servers run is CentOS.

Cheers,
Jonathan

Post by Ted Behling
Jonathan,
I'm actually planning to roll out RADIUS on a virtualization platform
too, probably Xen. Could you share what VM platform you're using?
Thanks!
Ted
------------------------------------------------------------------------
*From:*
*On Behalf Of *Jonathan Gazeley
*Sent:* Monday, July 06, 2009 12:15 PM
*To:* FreeRadius users mailing list
*Subject:* Re: Syslog and FreeRADIUS

Post by A***@lboro.ac.uk

whoa. thats completely different to what the current server does,
virtual or not. what details do you want to syslog?

For a start I want to syslog the stuff that usually goes into
radius.log - so the messages when the server starts (which are already
being syslogged successfully) and the summary line (Auth: Login OK)
printed after an authentication (which are currently not being sent to
syslog).
I also want to syslog the stuff that normally gets filed away under
/var/log/radius/radacct - so details of radius packets for debugging.
The reason for wanting to send everything to a log host on the network
is that the new generation of radius servers we are preparing are all
virtualised and only have a few GB of disk - so no room for logs.
Cheers,
Jonathan
--
----------------------------
Jonathan Gazeley
Systems Support Specialist
ResNet | Wireless& VPN Team
Information Services
University of Bristol
----------------------------
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
----------------------------
Jonathan Gazeley
Systems Support Specialist
ResNet | Wireless& VPN Team
Information Services
University of Bristol
----------------------------

A***@lboro.ac.uk

2009-07-06 16:43:33 UTC

Permalink

Hi,

Post by Jonathan Gazeley
The reason for wanting to send everything to a log host on the network
is that the new generation of radius servers we are preparing are all
virtualised and only have a few GB of disk - so no room for logs.

there are so many ways of having proper disk access via a virtualised host
that i dont know why you'd want to cripple your config by relying on syslog
and such dumb technologies for transfer of such details.

FoE, FC, ATAoE, NFSv4, iSCSI etc

however, ANOTHER way would be to have a backend RADIUS server that sites
on a system with the big fat disks....this RADIUS server would do no
authentication/authorisation etc and would simply be an accounting
relay - proxy all your accouting details to it for storage - check
the various supplied virtual servers to see the ways this can be done.

virtualisation of a RADIUS server isnt a problem - I've used
FreeRADIUS in VMWare Fusion, Xen, and ESX - as you say, its the big
files that are the killer - so dish such stuff elsewhere
if you arent using the network to transit storage.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2009-07-06 21:19:01 UTC

Permalink

Post by Jonathan Gazeley
For a start I want to syslog the stuff that usually goes into radius.log
- so the messages when the server starts (which are already being
syslogged successfully) and the summary line (Auth: Login OK) printed
after an authentication (which are currently not being sent to syslog).

That can be done. Just edit the log section of radiusd.conf.

Post by Jonathan Gazeley
I also want to syslog the stuff that normally gets filed away under
/var/log/radius/radacct - so details of radius packets for debugging.

I'll echo Alan Buxey here... you don't want to do this. See the
"raddb/sites-available/robust-proxy-accounting" for the RADIUS way of
doing it.

i.e. you're trying to replicate RADIUS traffic. So.... replicate it
as RADIUS traffic.

There's enough room for a few days worth of detail logs, unless your
systems are very, very, busy.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html