Re: Syslog and FreeRADIUS
Further to my previous query I've got global server messages being syslogged to my log hosts. However, all of my radius magic happens inside virtual servers, which live in sites-available. I haven't been able to get any syslog packets sent from within these virtual servers. I've tried creating a log{} section at the top of the virtual server containing the same directives as radiusd.conf but this didn't work. I created a module again with the same directives as radiusd.conf - this also didn't work. I referenced the stuff in both cases in the normal places in my virtual server The server doesn't give any error messages and starts normally with these directives in place - it just doesn't send any syslog packets. Has anyone on the list sent syslog packets from within radius virtual servers? Any guidance would be much appreciated. Thanks, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Jonathan Gazeley wrote: However, all of my radius magic happens inside virtual servers, which live in sites-available. I haven't been able to get any syslog packets sent from within these virtual servers. The log section is global. See raddb/sites-available/README for a definitive list of which sections can appear inside of a server section. Has anyone on the list sent syslog packets from within radius virtual servers? Any guidance would be much appreciated. Doing this will require source code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
On 07/06/2009 04:35 PM, Alan DeKok wrote: Jonathan Gazeley wrote: However, all of my radius magic happens inside virtual servers, which live in sites-available. I haven't been able to get any syslog packets sent from within these virtual servers. The log section is global. See raddb/sites-available/README for a definitive list of which sections can appear inside of a server section. OK, thanks. If the log section is global, should I simply be able to insert the word log into my virtual servers? Doing so causes the server to not start: radiusd[9868]: /usr/local/etc/raddb/sites-enabled/uobresnet[34]: Failed to find module log. radiusd[9868]: /usr/local/etc/raddb/sites-enabled/uobresnet[20]: Errors parsing authorize section. Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Hi, The log section is global. See raddb/sites-available/README for a definitive list of which sections can appear inside of a server section. OK, thanks. If the log section is global, should I simply be able to insert the word log into my virtual servers? Doing so causes the server to not start: no, the log section is global - and therefore cannot go into a virtual server - it fails if you do that (as you've seen) Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
On 07/06/2009 05:02 PM, a.l.m.bu...@lboro.ac.uk wrote: Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. Cheers, Jonathan -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Syslog and FreeRADIUS
Jonathan, I'm actually planning to roll out RADIUS on a virtualization platform too, probably Xen. Could you share what VM platform you're using? Thanks! Ted From: freeradius-users-bounces+ted.behling=htc.hargray@lists.freeradius.or g [mailto:freeradius-users-bounces+ted.behling=htc.hargray@lists.freer adius.org] On Behalf Of Jonathan Gazeley Sent: Monday, July 06, 2009 12:15 PM To: FreeRadius users mailing list Subject: Re: Syslog and FreeRADIUS On 07/06/2009 05:02 PM, a.l.m.bu...@lboro.ac.uk wrote: Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. Cheers, Jonathan -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Hi Ted, We are using VMWare ESXi on our hypervisors. There's no need to run a host OS and it's easy to set up. We haven't encountered any problems to speak of. The guest OS that the radius servers run is CentOS. Cheers, Jonathan On 07/06/2009 05:16 PM, Ted Behling wrote: Jonathan, I'm actually planning to roll out RADIUS on a virtualization platform too, probably Xen. Could you share what VM platform you're using? Thanks! Ted *From:* freeradius-users-bounces+ted.behling=htc.hargray@lists.freeradius.org [mailto:freeradius-users-bounces+ted.behling=htc.hargray@lists.freeradius.org] *On Behalf Of *Jonathan Gazeley *Sent:* Monday, July 06, 2009 12:15 PM *To:* FreeRadius users mailing list *Subject:* Re: Syslog and FreeRADIUS On 07/06/2009 05:02 PM, a.l.m.bu...@lboro.ac.uk wrote: Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. Cheers, Jonathan -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Hi, The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. there are so many ways of having proper disk access via a virtualised host that i dont know why you'd want to cripple your config by relying on syslog and such dumb technologies for transfer of such details. FoE, FC, ATAoE, NFSv4, iSCSI etc however, ANOTHER way would be to have a backend RADIUS server that sites on a system with the big fat disksthis RADIUS server would do no authentication/authorisation etc and would simply be an accounting relay - proxy all your accouting details to it for storage - check the various supplied virtual servers to see the ways this can be done. virtualisation of a RADIUS server isnt a problem - I've used FreeRADIUS in VMWare Fusion, Xen, and ESX - as you say, its the big files that are the killer - so dish such stuff elsewhere if you arent using the network to transit storage. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Jonathan Gazeley wrote: For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). That can be done. Just edit the log section of radiusd.conf. I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. I'll echo Alan Buxey here... you don't want to do this. See the raddb/sites-available/robust-proxy-accounting for the RADIUS way of doing it. i.e. you're trying to replicate RADIUS traffic. So replicate it as RADIUS traffic. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. There's enough room for a few days worth of detail logs, unless your systems are very, very, busy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Syslog and FreeRADIUS
Hi all, I've decided to move logging on my radius boxes to a pair of syslog servers, rather than stored locally. I'm using rsyslog to send the logs over the network. I follow this guide http://wiki.freeradius.org/Syslog_HOWTO but it seems to be for an old version of FreeRADIUS. I have managed to get FreeRADIUS to send syslog packets to my syslog hosts; however I can't tell how to specifically split out the FreeRADIUS syslog packets. The wiki page suggests local1.* but this isn't matching the right packets. I'm running FreeRADIUS 2.1.6 so if anyone has a snippet of their rsyslog.conf or can simply say how to match the radius syslog packets, I'd be very grateful. Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Jonathan Gazeley wrote: I've decided to move logging on my radius boxes to a pair of syslog servers, rather than stored locally. I'm using rsyslog to send the logs over the network. It's a good tool. I follow this guide http://wiki.freeradius.org/Syslog_HOWTO but it seems to be for an old version of FreeRADIUS. I have managed to get FreeRADIUS to send syslog packets to my syslog hosts; however I can't tell how to specifically split out the FreeRADIUS syslog packets. See the programname directive in the rsyslog configuration. It will be the name of the daemon (radiusd or freeradiusd) The wiki page suggests local1.* but this isn't matching the right packets. I'm running FreeRADIUS 2.1.6 so if anyone has a snippet of their rsyslog.conf or can simply say how to match the radius syslog packets, I'd be very grateful. Once you get it working, send it to the list, and we'll add it to the next release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
syslog and freeradius
I want to collect messages from different machines on a single server . Is it possible to forward freeradius' (1.0.2) logging to another machine? man radiusd says, that -l with the special value syslog sends the log information with syslog and that this option is deprecated. See log_dir in radiusd.conf. In radiusd.conf however I do not see how this could be achieved. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog and freeradius
Norbert Wegener [EMAIL PROTECTED] wrote: I want to collect messages from different machines on a single server . Is it possible to forward freeradius' (1.0.2) logging to another machine? Not really. It doesn't work in 1.0.2. It *does* work in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html