diff options
Diffstat (limited to '')
-rw-r--r-- | raddb/mods-available/detail | 109 | ||||
-rw-r--r-- | raddb/mods-available/detail.example.com | 27 | ||||
-rw-r--r-- | raddb/mods-available/detail.log | 75 |
3 files changed, 211 insertions, 0 deletions
diff --git a/raddb/mods-available/detail b/raddb/mods-available/detail new file mode 100644 index 0000000..ccf65f9 --- /dev/null +++ b/raddb/mods-available/detail @@ -0,0 +1,109 @@ +# -*- text -*- +# +# $Id$ + +# Write a detailed log of all accounting records received. +# +detail { + # Note that we do NOT use NAS-IP-Address here, as + # that attribute MAY BE from the originating NAS, and + # NOT from the proxy which actually sent us the + # request. + # + # The following line creates a new detail file for + # every radius client (by IP address or hostname). + # In addition, a new detail file is created every + # day, so that the detail file doesn't have to go + # through a 'log rotation' + # + # If your detail files are large, you may also want to add + # a ':%H' (see doc/configuration/variables.rst) to the end + # of it, to create a new detail file every hour, e.g.: + # + # ..../detail-%Y%m%d:%H + # + # This will create a new detail file for every hour. + # + # If you are reading detail files via the "listen" section + # (e.g. as in raddb/sites-available/robust-proxy-accounting), + # you MUST use a unique directory for each combination of a + # detail file writer, and reader. That is, there can only + # be ONE "listen" section reading detail files from a + # particular directory. + # + # The configuration below puts the detail files into separate + # directories for each client. If you are reading the detail + # files via the "listen" section, just use one directory. + # + # e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d + # + # AND use a separate directory (reader2, reader3, etc.) for each + # reader. + # + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d + + # + # If you are using radrelay, delete the above line for "file", + # and use this one instead: + # +# filename = ${radacctdir}/detail + + # + # Most file systems can handly nearly the full range of UTF-8 + # characters. Ones that can deal with a limited range should + # set this to "yes". + # + escape_filenames = no + + # + # The Unix-style permissions on the 'detail' file. + # + # The detail file often contains secret or private + # information about users. So by keeping the file + # permissions restrictive, we can prevent unwanted + # people from seeing that information. + permissions = 0600 + + # The Unix group of the log file. + # + # The user that the server runs as must be in the specified + # system group otherwise this will fail to work. + # +# group = ${security.group} + + # + # Every entry in the detail file has a header which + # is a timestamp. By default, we use the ctime + # format (see "man ctime" for details). + # + # The header can be customised by editing this + # string. See "doc/configuration/variables.rst" for a + # description of what can be put here. + # + header = "%t" + + # + # Uncomment this line if the detail file reader will be + # reading this detail file. + # +# locking = yes + + # + # Log the Packet src/dst IP/port. This is disabled by + # default, as that information isn't used by many people. + # +# log_packet_header = yes + + # + # Certain attributes such as User-Password may be + # "sensitive", so they should not be printed in the + # detail file. This section lists the attributes + # that should be suppressed. + # + # The attributes should be listed one to a line. + # + #suppress { + # User-Password + #} + +} diff --git a/raddb/mods-available/detail.example.com b/raddb/mods-available/detail.example.com new file mode 100644 index 0000000..827cdf5 --- /dev/null +++ b/raddb/mods-available/detail.example.com @@ -0,0 +1,27 @@ +# -*- text -*- +# +# Detail file writer, used in the following examples: +# +# raddb/sites-available/robust-proxy-accounting +# raddb/sites-available/decoupled-accounting +# +# Note that this module can write detail files that are read by +# only ONE "listen" section. If you use BOTH of the examples +# above, you will need to define TWO "detail" modules. +# +# e.g. detail1.example.com && detail2.example.com +# +# +# We write *multiple* detail files here. They will be processed by +# the detail "listen" section in the order that they were created. +# The directory containing these files should NOT be used for any +# other purposes. i.e. It should have NO other files in it. +# +# Writing multiple detail enables the server to process the pieces +# in smaller chunks. This helps in certain catastrophic corner cases. +# +# $Id$ +# +detail detail.example.com { + filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G +} diff --git a/raddb/mods-available/detail.log b/raddb/mods-available/detail.log new file mode 100644 index 0000000..b91cf7c --- /dev/null +++ b/raddb/mods-available/detail.log @@ -0,0 +1,75 @@ +# -*- text -*- +# +# $Id$ + +# +# More examples of doing detail logs. + +# +# Many people want to log authentication requests. +# Rather than modifying the server core to print out more +# messages, we can use a different instance of the 'detail' +# module, to log the authentication requests to a file. +# +# You will also need to un-comment the 'auth_log' line +# in the 'authorize' section, below. +# +detail auth_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + permissions = 0600 + + # You may also strip out passwords completely + suppress { + User-Password + } +} + +# +# This module logs authentication reply packets sent +# to a NAS. Both Access-Accept and Access-Reject packets +# are logged. +# +# You will also need to un-comment the 'reply_log' line +# in the 'post-auth' section, below. +# +detail reply_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d + + permissions = 0600 +} + +# +# This module logs packets proxied to a home server. +# +# You will also need to un-comment the 'pre_proxy_log' line +# in the 'pre-proxy' section, below. +# +detail pre_proxy_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + permissions = 0600 + + # You may also strip out passwords completely + #suppress { + # User-Password + #} +} + +# +# This module logs response packets from a home server. +# +# You will also need to un-comment the 'post_proxy_log' line +# in the 'post-proxy' section, below. +# +detail post_proxy_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d + + permissions = 0600 +} |