# -*- text -*-
#
#  $Id$

#
#  The "linelog" module will log one line of text to a file.
#  Both the filename and the line of text are dynamically expanded.
#
#  We STRONGLY suggest that you do not use data from the
#  packet as part of the filename.
#
linelog {
	#
	#  The file where the logs will go.
	#
	#  If the filename is "syslog", then the log messages will
	#  go to syslog.
	#
	#  The output can be directed to stdout by using /dev/stdout
	#
	filename = ${logdir}/linelog

	#
	#  Most file systems can handly nearly the full range of UTF-8
	#  characters.  Ones that can deal with a limited range should
	#  set this to "yes".
	#
	escape_filenames = no

	#
	#  The Unix-style permissions on the log file.
	#
	#  Depending on format string, the log file may contain secret or
	#  private information about users.  Keep the file permissions as
	#  restrictive as possible.
	permissions = 0600

	#  The Unix group which owns the log file.
	#
	#  The user that freeradius runs as must be in the specified
	#  group, otherwise it will not be possible to set the group.
#	group = ${security.group}

	#  Syslog facility (if logging via syslog).
	#  Defaults to the syslog_facility config item in radiusd.conf.
	#  Standard facilities are:
	#  - kern        Messages generated by the kernel.  These cannot
	#                be generated by any user processes.
	#  - user        Messages generated by random user processes.
	#                This is the default facility identifier if
	#                none is specified.
	#  - mail        The mail system.
	#  - daemon      System daemons, such as routed(8), that are not
	#                provided for explicitly by other facilities.
	#  - auth        The authorization system: login(1), su(1),
	#                getty(8), etc.
	#  - lpr         The line printer spooling system: cups-lpd(8),
	#                cupsd(8), etc.
	#  - news        The network news system.
	#  - uucp        The uucp system.
	#  - cron        The cron daemon: cron(8).
	#  - authpriv    The same as LOG_AUTH, but logged to a file
	#                readable only by selected individuals.
	#  - ftp         The file transfer protocol daemons: ftpd(8),
	#                tftpd(8).
	#  - local[0-7]  Reserved for local use.
#	syslog_facility = daemon

	#  Syslog severity (if logging via syslog). Defaults to info.
	#  Possible values are:
	#  - emergency   A panic condition.  This is normally broadcast
	#                to all users.
	#  - alert       A condition that should be corrected immediately,
	#                such as a corrupted system database.
	#  - critical    Critical conditions, e.g., hard device errors.
	#  - error       Errors.
	#  - warning     Warning messages.
	#  - notice      Conditions that are not error conditions, but
	#                should possibly be handled specially.
	#  - info        Informational messages.
	#  - debug       Messages that contain information normally of use
	#                only when debugging a program.
#	syslog_severity = info

	#  If logging via syslog, the severity can be set here.
	#  Defaults to info.

	#
	#  Optional header format string.
	#  Written to the first line of any newly created log file
#	header = "This is a header line"

	#
	#  The default format string.
	format = "This is a log message for %{User-Name}"

	#
	#  This next line can be omitted.  If it is omitted, then
	#  the log message is static, and is always given by "format",
	#  above.
	#
	#  If it is defined, then the string is dynamically expanded,
	#  and the result is used to find another configuration entry
	#  here, with the given name.  That name is then used as the
	#  format string.
	#
	#  If the configuration entry cannot be found, then no log
	#  message is printed.
	#
	#  i.e. You can have many log messages in one "linelog" module.
	#  If this two-step expansion did not exist, you would have
	#  needed to configure one "linelog" module for each log message.

	#
	#  Reference the Packet-Type (Access-Accept, etc.)  If it doesn't
	#  exist, reference the "default" entry.
	#
	#  This is for "linelog" being used in the post-auth section
	#  If you want to use it in "authorize", you need to change
	#  the reference to "messages.%{%{Packet-Type}:-default}",
	#  and then add the appropriate messages.
	#
	reference = "messages.%{%{reply:Packet-Type}:-default}"

	#
	#  The messages defined here are taken from the "reference"
	#  expansion, above.
	#
	messages {
		default = "Unknown packet type %{Packet-Type}"

		Access-Accept = "Accepted user: %{User-Name}"
		Access-Reject = "Rejected user: %{User-Name}"
		Access-Challenge = "Sent challenge: %{User-Name}"
	}
}

#
#  Another example, for accounting packets.
#
linelog log_accounting {
	#
	#  Used if the expansion of "reference" fails.
	#
	format = ""

	filename = ${logdir}/linelog-accounting

	permissions = 0600

	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"

	#
	#  Another example:
	#
	#
	Accounting-Request {
		Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
		Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"

		#  Don't log anything for these packets.
		Alive = ""

		Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online"
		Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline"

		# don't log anything for other Acct-Status-Types.
		unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
	}
}