Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

authlog.ini File

The authlog.ini initialization file contains information that controls how RADIUS authentication request attributes are logged in the comma-delimited yyyymmdd.authlog file.

[Alias/name] Sections

You can create one or more [Alias/name] sections in authlog.ini (Table 39) to associate attributes of different names, but identical meaning. For example, one network access server vendor might call an attribute Auth-Connect-Type and another might call it AuthConn-Typ, yet the two attributes would both map to Auth-Conn-Type.

Each [Alias/name] section permits you to map one RADIUS authentication request attribute that is already being logged by Steel-Belted Radius Carrier to any number of other attributes. You can provide as many [Alias/name] sections as you want, using this syntax for each section:

[Alias/name]
VendorSpecificAttribute=
VendorSpecificAttribute=

Table 39: authlog.ini [Alias/name] Syntax

Parameter

Function

name

The preferred attribute name. The name attribute must be one that you are currently logging to a column in the Steel-Belted Radius Carrier authentication request log file (.authlog). Therefore, it must be listed in the [Attributes] section of authlog.ini.

VendorSpecificAttribute

Each entry is given on one line. An equal sign (=) must immediately follow each VSA name, without any intervening space. Improperly formatted entries are considered invalid and are ignored.

Each VendorSpecificAttribute in the list is logged to the name column in the authentication request log file. Because you are listing these attributes in an [Alias/name] section, make sure they are not listed in the [Attributes] section or they are logged to their own columns as well as to the name column.

All of the attribute names that you reference in an [Alias/name] section must be defined in a dictionary file that is already installed on the Steel-Belted Radius Carrier server. This includes name and each VendorSpecificAttribute entry.

In the following example, the standard RADIUS attribute Auth-Conn-Type is mapped to the vendor-specific attributes AuthConnect-Type and AuthConn-Typ. Values encountered for all three attributes are logged in the AuthOctetPackets column in the authentication request log file:

[Alias/Auth-Conn-Type]
Auth-Conn-Typ=
Auth-Connect-Type=

[Attributes] Section

The [Attributes] section of authlog.ini lists all the attributes logged in the authentication request log file. These include attributes in Access-Request messages received from the network access server (NAS). Attributes that Steel-Belted Radius Carrier returns to the NAS are not logged in this file. When you install Steel-Belted Radius Carrier, the authlog.ini file is set up so that all standard RADIUS attributes and all supported vendor authentication attributes are listed.

You can configure what is logged to the authentication request log file by rearranging the order of attributes in the [Attributes] section. You can delete or comment out attributes you do not want or that do not apply to your equipment. This lets you design the content and column order of any spreadsheets that you plan to create based upon the authentication request log file.

The syntax of the [Attributes] section is:

[Attributes]
AttributeName=
AttributeName=

For example:

[Attributes]
User-Name=
NAS-IP-Address=
NAS-Port=
Service-Type=
Framed-Protocol=
Framed-IP-Address=
Framed-IP-Netmask=
Framed-Compression=

The [Attributes] section lists one AttributeName on each line. You must ensure that an equal sign (=) immediately follows each AttributeName, with no spaces in between. Improperly formatted entries are considered invalid and are ignored.

Each AttributeName in the [Attributes] section must be defined in a standard RADIUS dictionary file (.dct file), a subattribute dictionary file (.jdict file), or vendor-specific dictionary file (.dct) installed on the Steel-Belted Radius Carrier server.

Note: The first five attributes in each authentication log file entry (Date, Time, RASClient, FullName, and ACC/REJ) are always enabled, and cannot be reordered or deleted. Therefore, these attributes do not appear in the authlog.ini file [Attributes] section.

[Configuration] Section

The [Configuration] section of authlog.ini specifies the location of the yyymmdd.authlog file.

Table 40: authlog.ini [Configuration] Syntax

Parameter

Function

LogDir

Specifies the destination directory on the local host where yyyymmdd.authlog files are stored.

Default value is the directory where Steel-Belted Radius Carrier is installed.

Note: With directed realms, you can maintain multiple authentication log locations.

[Syslog] Section

The [Syslog] section of the authlog.ini file enables authentication request information to be written to the system log file. Compatible applications (such as rsyslog) can be used to forward these system log messages to a remote server or database. The format of the system log message is the same as that of the authentication log message.

Parameter

Function

Enable

Enables authentication request information to be written to the system log file.

If set to 1, this setting enables writing of authentication requests to the system log file.

If set to 0, this setting disables writing of authentication requests to the system log file.

The default value is 0.

Note: This setting is independent of the Enable setting in the [Configure] section of the authentication log.

Facility

This parameter sets the system log facility.

The default value is Daemon, but could be set to Local[X], where X = 0–7.

Severity

This parameter sets the severity of the system log message. The value could be Info or Notice.

The default value is Info.

Following are some configuration examples of syslog.conf and rsyslog.conf files:

Example 1—To write all authlog messages to /var/adm/messages using the LOCAL3 facility and LOG_INFO severity:

  1. Configure the authlog.ini file as:
    [Syslog]
Enable = 1
Facility = local3
Severity = Info
  2. Add the following statement in the /etc/syslog.conf file:
    *.err;kern.debug;daemon.notice;mail.crit;local3.info   /var/adm/messages
  3. Run the following command:
    kill -HUP `pgrep syslogd`
  4. Restart the sbrd process.
    ./sbrd restart
  5. Authlog messages are written to the system log (/var/adm/messages).

Note: In Linux, you need to use the rsyslog.conf file instead of syslog.conf. By default, system logs are stored under /var/log/messages.

Example 2—To write all authlog messages to a SQL database (Linux configuration example):

  1. Configure the authlog.ini file in the local server as:
    [Syslog]
Enable = 1
Facility = daemon
Severity = Info
  2. Restart the sbrd process.
    ./sbrd restart
  3. Update the /etc/rsyslog.conf file in the local server as:
    #### MODULES ####
$Modload ommysql #provide Mysql support
$ModLoad imuxsock.so	# provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so	# provides kernel logging support (previously done by rklogd)
$ModLoad immark.so	# provides --MARK-- message capability

#Provides TCP system log  reception
$ModLoad imtcp.so  
$InputTCPServerRun 514

$template test,"insert into rsyslog5(host,pid,facility,priority,datetime,msg) values('%hostname%',
     '%syslogtag:R,ERE,1,BLANK:\[([0-9]{1,5})\]--end%','%syslogfacility%','%syslogpriority%',
    '%timereported:::date-mysql%','%msg%')",SQL

*.* >sbr-lin1.englab.juniper.net,test,testuser,testpassword;test

    Note: The statement *.* >sbr-lin1.englab.juniper.net,test,testuser,testpassword;test is in the format *.* >dbhost,dbname,dbuser,dbpassword;dbtemplate.

  4. Restart the rsyslog service.
    Service rsyslog restart
  5. Authlog messages are written to the SQL DB of the SQL server.

Example 3—To write all authlog messages to a remote server (Linux configuration example):

  1. Configure the authlog.ini file in the local server as:
    [Syslog]
Enable = 1
Facility = daemon
Severity = Info
  2. Restart the sbrd process.
    ./sbrd restart
  3. Update the /etc/rsyslog.conf file in the local server as:
    *.* @@192.168.1.1:514

    Note: Here, 192.168.1.1:514 is a remote SBR server.

  4. Restart the rsyslog service.
    Service rsyslog restart
  5. Update the /etc/rsyslog.conf file in the remote server as:
    # Provides TCP system log  reception
  $ModLoad imtcp.so
  $InputTCPServerRun 514
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
  6. Restart the rsyslog service.
    Service rsyslog restart
  7. Authlog messages are written to the remote server’s system log (/var/log/messages).

[Settings] Section

Steel-Belted Radius Carrier writes all authentication request data to the current authentication request log file (yyyymmdd.authlog) until that log file is closed. When Steel-Belted Radius Carrier closes an authentication request log file, it immediately opens a new one and begins writing authentication request data to it.

You can configure how often this rollover of the authentication request log file occurs.

The naming conventions of the authentication request log files support the fact that Steel-Belted Radius Carrier can create more than one file per day. In the examples in Table 41, y =year digit, m =month digit, d =day digit, and h =hour digit. The extra sequence number _nnnnn starts at _00000 each day.

Table 41: Authentication Log Rollover

File Generation Method

File Naming Convention

Default (24 hours)

yyyymmdd.authlog

Non-24-hour rollover

yyyymmdd_hhmm.authlog

Rollover due to size

yyyymmdd_nnnnn.authlog

Rollover due to size or startup when non24hour time in effect

yyyymmdd_hhmm_nnnnn.authlog

The [Settings] section of authlog.ini in Table 42 controls which entries are written to the authentication request log file, and ensure the compatibility of these entries with a variety of database systems. These rollover settings can be present in the [Settings] section.

Table 42: authlog.ini [Settings] Syntax

Parameter

Function

Enable

  • If set to 0, the authentication request log is disabled and other settings are ignored.
  • If set to 1, the authentication request log is enabled.

Set Enable to 1 for Authentication servers. For efficiency, set Enable to 0 for nonauthentication servers.

Default value is 0.

LogAssignedIpAddress

  • If set to 1, LogAssignedIpAddress is enabled and the framed IP address is displayed in the authlog.log file as Assigned-IP-Address.
  • If set to 0, LogAssignedIpAddress is disabled and the framed IP address is not displayed in the authlog.log file.

The default value is 0 (Disabled).

Here is a sample output displaying the header and log message

Header:

"Date","Time","RAS-Client","Full-Name","Acc/Rej","User-Name",
"NAS-IP-Address","NAS-Port","Service-Type","Framed-Protocol",
"Framed-IP-Address","Framed-IP-Netmask","Framed-Compression",
"Login-IP-Host","Callback-Number","State","Called-Station-Id",
"Calling-Station-Id","NAS-Identifier","Proxy-State","Event-Timestamp",
"NAS-Port-Type","Port-Limit","Login-LAT-Port","Assigned-IP-Address"

Log Message:

"11/11/2010","01:42:51","<ANY>”,"ROOT","ACCEPT","ROOT",
"10.206.144.123","1975",,,,,,,,,"t1.internet",,,,,"2",,,"10.206.144.1"
"11/11/2010","01:43:06","<ANY>”,"ROOT","ACCEPT","ROOT",
"10.206.144.123","1976",,,,,,,,," t1.internet",,,,,"2",,,"10.206.144.5"
"11/11/2010","01:43:06","<ANY>”,"ROOT","ACCEPT","ROOT",
"10.206.144.123","1977",,,,,,,,," t1.internet",,,,,"2",,,"10.206.144.7"
"11/11/2010","01:43:06",”<ANY>”,"ROOT","ACCEPT","ROOT",
"10.206.144.123","1978",,,,,,,,," t1.internet",,,,,"2",,,"10.206.144.8"
"11/11/2010","01:43:06",”<ANY>","ROOT","ACCEPT","ROOT",
"10.206.144.123","1979",,,,,,,,," t1.internet",,,,,"2",,,"10.206.144.10"
"11/11/2010","01:43:06",”<ANY>","ROOT","ACCEPT","ROOT",
"10.206.144.123","1980",,,,,,,,," t1.internet",,,,,"2",,,"10.206.144.14"
"11/11/2010","01:43:06",”<ANY>","ROOT","ACCEPT","ROOT",
"10.206.144.123","1981",,,,,,,,," t1.internet",,,,,"2",,,"10.206.144.15"
"11/11/2010","01:43:06”,”<ANY>","ROOT","ACCEPT","ROOT",
"10.206.144.123","1982",,,,,,,,," t1.internet",,,,,"2",,,"10.206.144.16"

LogFilePermissions

Specifies the owner and access permission setting for the authorization request log (yyyymmdd.authlog) file.

Enter a value for the LogFilePermissions setting in owner:group permissions format, where:

  • owner specifies the owner of the file in text or numeric format.
  • group specifies the group setting for the file in text or numeric format.
  • permissions specifies what privileges can be exercised by Owner/Group/Other with respect to the file in text or numeric format.

    For example, userw:1007 rw-r- - - - - specifies that the file owner (user) can read and edit the log file, members of group 1007 can read (but not edit) the log file, and other users cannot access the log file.

    The default mask is -rw - - - - - -.

LineSize

Specifies the maximum number of characters in a line in the authentication request log. You can enter a number in the range 1024–32768.

Default value is 4096.

Note: Logging will fail if this value is exceeded.

MaxSize

  • If set to a number greater than 0, specifies the maximum number of bytes for an authentication request log file. If the authentication request log file equals or exceeds this limit when the log size is checked, the log file is closed and a new file started.
  • If set to 0, the authentication request log has no maximum size.

Default value is 0.

QuoteBinary

  • If set to 1, binary values written to the authentication request log file are enclosed in quotes.
  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the authentication request log entries.

Default value is 1.

QuoteInteger

  • If set to 1, integer values written to the authentication request log file are enclosed in quotes.
  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the authentication request log entries.

Default value is 1.

QuoteIPAddress

  • If set to 1, IP addresses written to the authentication request log file are enclosed in quotes.
  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the authentication request log entries.

Default value is 1.

QuoteText

  • If set to 1, text strings written to the authentication request log file are enclosed in quotes.
  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the authentication request log entries.

Default value is 1.

QuoteTime

  • If set to 1, time and date values written to the authentication request log file are enclosed in quotes.
  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the authentication request log entries.

Default value is 1.

RollOver

Specifies how often the current authentication request log file is closed and a new file opened (a rollover), up to one rollover per minute.

  • If set to 0, the authentication request log rolls over once every 24 hours, at midnight local time.
  • If set to a number in the range 1–1440, specifies the number of minutes until the next rollover.

Default value is 0.

RollOverOnStartup

  • If set to 1, each time Steel-Belted Radius Carrier is started, it closes the current authentication request log file and opens a new one. A sequence number _nnnnn is appended to the log file name, just as when MaxSize is reached.
  • If set to 0, each time Steel-Belted Radius Carrier is started, it appends entries to the previously open authentication request log file.

Default value is 0.

Titles

  • If set to 1, each time a new authentication request log file is created, the title line (containing column headings) is written to the file.
  • If set to 0, the line is not written.

Default value is 1.

UTC

  • If set to 1, time and date values are provided according to UTC (GMT).
  • If set to 0, time and date values reflect local time.

Default value is 0.

Modified: 2018-01-11

Previous Page Next Page