Re: more detailed sql logging
Kris Efland wrote: > Can I enter raw sql syntax similar to those found in the sql.conf > file? (blah = "INSERT INTO ...") Granted this isnt the greatest > place to put this, but as long as the sql.conf include is before my > module def all of the sql server information should already be > in-line... do I have that right? Or can you do something clever in > the sql.conf file? You can just use a second instance of rlm_sql module with a different postauth_query for the rejected users. See the last section in http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/rlm_sql?rev=1.6 Nicolas Baradakis -- A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Score! Exactly the information I needed. Thank you. For clarification, since I havent written a module before... For example:
If i had the following block in radiusd.conf
post-auth{
Post-Auth-Type REJECT {
log_rejected_users
}
}
In the modules block in radiusd.conf... Can I enter raw sql syntax similar to those found in the sql.conf file? (blah = "INSERT INTO ...") Granted this isnt the greatest place to put this, but as long as the sql.conf include is before my module def all of the sql server information should already be in-line... do I have that right? Or can you do something clever in the sql.conf file?
Thanks again,
Kris
Nicolas Baradakis <[EMAIL PROTECTED]> wrote:
Kris Efland wrote:> Packet-Type = Access-Request> Sat Mar 5 15:04:02 2005> User-Name = "user"> User-Password = "password"> NAS-IP-Address = 1.2.3.4> Client-IP-Address = 1.3.4.5> Module-Failure-Message = "rlm_ldap: User not found"> > _I would like this information logged to sql instead, how do I do that?_See http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/Post-Auth-Type?rev=1.4You can run a postauth query before the server sends an Accept-Reject,too. Modify the "radpostauth" table and the "postauth query" to log asmany attributes as you wish.-- Nicolas Baradakis
Re: more detailed sql logging
Kris Efland wrote: > Packet-Type = Access-Request > Sat Mar 5 15:04:02 2005 > User-Name = "user" > User-Password = "password" > NAS-IP-Address = 1.2.3.4 > Client-IP-Address = 1.3.4.5 > Module-Failure-Message = "rlm_ldap: User not found" > > _I would like this information logged to sql instead, how do I do that?_ See http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/Post-Auth-Type?rev=1.4 You can run a postauth query before the server sends an Accept-Reject, too. Modify the "radpostauth" table and the "postauth query" to log as many attributes as you wish. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Kris Efland <[EMAIL PROTECTED]> wrote: > Clearly... As I said in my first email. There are no insert > statements that coincide to what I am looking for and thus my original > question about crafting my own sql statements. It's not just a matter of crafting your own SQL statements. The module is not "generic", in that it expects to do certain queries in a certain order. So there is NO statement you can add to sql.conf to make the module do things in a different order. > _I would like this information logged to sql instead, how do I do that?_ Source code modifications. > > The your NAS isn't sending accounting requests to the server. See the FAQ. > > The information is already at my disposal, hence the log file. Um... Access-Request packets are NOT accounting packets. You said that you listed "sql" in "accounting", but the table had nothing in it. This is because the server is not receiving Accounting-Request packets. There is NO other explanation. > I dont want to rely on the NAS to send the request or have to > manage that in any way. Can I force the logging to SQL? I want to > log ALL authentication requests to SQL, this seems like a pretty > primitive feature. Thanks for the help. Source code modifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Alan DeKok <[EMAIL PROTECTED]> wrote:> No... the "radcheck" table contains information that tells the> server how to check authentication for the user. Ok. > sql.conf clearly shows that the only authenticating logging query is> the post-auth one. It also clearly shows that the authcheck_table> compares the check items for the user. Clearly... As I said in my first email. There are no insert statements that coincide to what I am looking for and thus my original question about crafting my own sql statements. Moving on... I will break this down simply so that we do not drift. The data i need is being logged to the log file: $prefix/var/log/radius/radacct//auth-detail-mmdd with contents: Packet-Type = Access-RequestSat Mar 5 15:04:02 2005 User-Name = "user" User-Password = "password" NAS-IP-Address = 1.2.3.4 Client-IP-Address = 1.3.4.5 Module-Failure-Message = "rlm_ldap: User not found"_I would like this information logged to sql instead, how do I do that?_> This is all documented in the comments in the file. Sure it is...> The your NAS isn't sending accounting requests to the server. See the FAQ. The information is already at my disposal, hence the log file. I dont want to rely on the NAS to send the request or have to manage that in any way. Can I force the logging to SQL? I want to log ALL authentication requests to SQL, this seems like a pretty primitive feature. Thanks for the help. Kris
Re: more detailed sql logging
Kris Efland <[EMAIL PROTECTED]> wrote: > I am simply trying to log who is trying to auth against the rad > server, valid or not. Right now only postauth is being logged to > sql and I'm trying to rectify that. That's fine. > I would assume that someone trying to check authentic credentials > would be logged to the 'authcheck_table' but feel free to correct > that assumption. No... the "radcheck" table contains information that tells the server how to check authentication for the user. sql.conf clearly shows that the only authenticating logging query is the post-auth one. It also clearly shows that the authcheck_table compares the check items for the user. This is all documented in the comments in the file. > I already have a 'sql' directive under the accounting block in > radiusd.conf (line 1906). Currently the only table that has > _anything_ is radpostauth. The your NAS isn't sending accounting requests to the server. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Guy, Thanks for the response. But, according to the sql.conf... "authcheck_table = 'radcheck' " I am simply trying to log who is trying to auth against the rad server, valid or not. Right now only postauth is being logged to sql and I'm trying to rectify that. I would assume that someone trying to check authentic credentials would be logged to the 'authcheck_table' but feel free to correct that assumption. I already have a 'sql' directive under the accounting block in radiusd.conf (line 1906). Currently the only table that has _anything_ is radpostauth. Any ideas? k. Guy Fraser <[EMAIL PROTECTED]> wrote: I am not exactly sure what you are trying to do, but you should never need to have the server write to radcheck. The table you are probably looking for is radacct.radcheck is equivalent to the first line of the users file.radacct is equivalent to the detail file.You likely want to add sql to the accounting section.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
On Thu, 2005-03-03 at 13:54 -0800, Kris Efland wrote: > Excuse me if this has already been discussed but I couldnt find > anything after searching... > > I have FR successfully up and running. I have it "logging" through > sql, and authenticating through ldap. How do I go about getting more > detailed logs out of FR through sql? Currently it is only logging to > postauth_table and is therefore only showing successful logins. I > need it to log to authcheck_table (radcheck) to see if people are > failing to login properly. These are being sent to the logfile but > not to sql. I have broken down the sql config files but they dont > seem to have any insert statements into the radcheck sql table. Do I > have to write these myself? or is it more simplistic than that? Can > you do this when seperating the authentication mechanism from sql? > Thanks in advance. > > Kris I am not exactly sure what you are trying to do, but you should never need to have the server write to radcheck. The table you are probably looking for is radacct. radcheck is equivalent to the first line of the users file. radacct is equivalent to the detail file. You likely want to add sql to the accounting section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more detailed sql logging
Excuse me if this has already been discussed but I couldnt find anything after searching... I have FR successfully up and running. I have it "logging" through sql, and authenticating through ldap. How do I go about getting more detailed logs out of FR through sql? Currently it is only logging to postauth_table and is therefore only showing successful logins. I need it to log to authcheck_table (radcheck) to see if people are failing to login properly. These are being sent to the logfile but not to sql. I have broken down the sql config files but they dont seem to have any insert statements into the radcheck sql table. Do I have to write these myself? or is it more simplistic than that? Can you do this when seperating the authentication mechanism from sql? Thanks in advance. Kris
