summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/detail
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/mods-available/detail109
-rw-r--r--raddb/mods-available/detail.example.com27
-rw-r--r--raddb/mods-available/detail.log75
3 files changed, 211 insertions, 0 deletions
diff --git a/raddb/mods-available/detail b/raddb/mods-available/detail
new file mode 100644
index 0000000..ccf65f9
--- /dev/null
+++ b/raddb/mods-available/detail
@@ -0,0 +1,109 @@
+# -*- text -*-
+#
+# $Id$
+
+# Write a detailed log of all accounting records received.
+#
+detail {
+ # Note that we do NOT use NAS-IP-Address here, as
+ # that attribute MAY BE from the originating NAS, and
+ # NOT from the proxy which actually sent us the
+ # request.
+ #
+ # The following line creates a new detail file for
+ # every radius client (by IP address or hostname).
+ # In addition, a new detail file is created every
+ # day, so that the detail file doesn't have to go
+ # through a 'log rotation'
+ #
+ # If your detail files are large, you may also want to add
+ # a ':%H' (see doc/configuration/variables.rst) to the end
+ # of it, to create a new detail file every hour, e.g.:
+ #
+ # ..../detail-%Y%m%d:%H
+ #
+ # This will create a new detail file for every hour.
+ #
+ # If you are reading detail files via the "listen" section
+ # (e.g. as in raddb/sites-available/robust-proxy-accounting),
+ # you MUST use a unique directory for each combination of a
+ # detail file writer, and reader. That is, there can only
+ # be ONE "listen" section reading detail files from a
+ # particular directory.
+ #
+ # The configuration below puts the detail files into separate
+ # directories for each client. If you are reading the detail
+ # files via the "listen" section, just use one directory.
+ #
+ # e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d
+ #
+ # AND use a separate directory (reader2, reader3, etc.) for each
+ # reader.
+ #
+ filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
+
+ #
+ # If you are using radrelay, delete the above line for "file",
+ # and use this one instead:
+ #
+# filename = ${radacctdir}/detail
+
+ #
+ # Most file systems can handly nearly the full range of UTF-8
+ # characters. Ones that can deal with a limited range should
+ # set this to "yes".
+ #
+ escape_filenames = no
+
+ #
+ # The Unix-style permissions on the 'detail' file.
+ #
+ # The detail file often contains secret or private
+ # information about users. So by keeping the file
+ # permissions restrictive, we can prevent unwanted
+ # people from seeing that information.
+ permissions = 0600
+
+ # The Unix group of the log file.
+ #
+ # The user that the server runs as must be in the specified
+ # system group otherwise this will fail to work.
+ #
+# group = ${security.group}
+
+ #
+ # Every entry in the detail file has a header which
+ # is a timestamp. By default, we use the ctime
+ # format (see "man ctime" for details).
+ #
+ # The header can be customised by editing this
+ # string. See "doc/configuration/variables.rst" for a
+ # description of what can be put here.
+ #
+ header = "%t"
+
+ #
+ # Uncomment this line if the detail file reader will be
+ # reading this detail file.
+ #
+# locking = yes
+
+ #
+ # Log the Packet src/dst IP/port. This is disabled by
+ # default, as that information isn't used by many people.
+ #
+# log_packet_header = yes
+
+ #
+ # Certain attributes such as User-Password may be
+ # "sensitive", so they should not be printed in the
+ # detail file. This section lists the attributes
+ # that should be suppressed.
+ #
+ # The attributes should be listed one to a line.
+ #
+ #suppress {
+ # User-Password
+ #}
+
+}
diff --git a/raddb/mods-available/detail.example.com b/raddb/mods-available/detail.example.com
new file mode 100644
index 0000000..827cdf5
--- /dev/null
+++ b/raddb/mods-available/detail.example.com
@@ -0,0 +1,27 @@
+# -*- text -*-
+#
+# Detail file writer, used in the following examples:
+#
+# raddb/sites-available/robust-proxy-accounting
+# raddb/sites-available/decoupled-accounting
+#
+# Note that this module can write detail files that are read by
+# only ONE "listen" section. If you use BOTH of the examples
+# above, you will need to define TWO "detail" modules.
+#
+# e.g. detail1.example.com && detail2.example.com
+#
+#
+# We write *multiple* detail files here. They will be processed by
+# the detail "listen" section in the order that they were created.
+# The directory containing these files should NOT be used for any
+# other purposes. i.e. It should have NO other files in it.
+#
+# Writing multiple detail enables the server to process the pieces
+# in smaller chunks. This helps in certain catastrophic corner cases.
+#
+# $Id$
+#
+detail detail.example.com {
+ filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
+}
diff --git a/raddb/mods-available/detail.log b/raddb/mods-available/detail.log
new file mode 100644
index 0000000..b91cf7c
--- /dev/null
+++ b/raddb/mods-available/detail.log
@@ -0,0 +1,75 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# More examples of doing detail logs.
+
+#
+# Many people want to log authentication requests.
+# Rather than modifying the server core to print out more
+# messages, we can use a different instance of the 'detail'
+# module, to log the authentication requests to a file.
+#
+# You will also need to un-comment the 'auth_log' line
+# in the 'authorize' section, below.
+#
+detail auth_log {
+ filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
+
+ #
+ # This MUST be 0600, otherwise anyone can read
+ # the users passwords!
+ permissions = 0600
+
+ # You may also strip out passwords completely
+ suppress {
+ User-Password
+ }
+}
+
+#
+# This module logs authentication reply packets sent
+# to a NAS. Both Access-Accept and Access-Reject packets
+# are logged.
+#
+# You will also need to un-comment the 'reply_log' line
+# in the 'post-auth' section, below.
+#
+detail reply_log {
+ filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
+
+ permissions = 0600
+}
+
+#
+# This module logs packets proxied to a home server.
+#
+# You will also need to un-comment the 'pre_proxy_log' line
+# in the 'pre-proxy' section, below.
+#
+detail pre_proxy_log {
+ filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
+
+ #
+ # This MUST be 0600, otherwise anyone can read
+ # the users passwords!
+ permissions = 0600
+
+ # You may also strip out passwords completely
+ #suppress {
+ # User-Password
+ #}
+}
+
+#
+# This module logs response packets from a home server.
+#
+# You will also need to un-comment the 'post_proxy_log' line
+# in the 'post-proxy' section, below.
+#
+detail post_proxy_log {
+ filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
+
+ permissions = 0600
+}