rlm_detail

Synopsis

The detail module writes packet to a "detail" log file in plain-text.

Processing Sections

authorize

When listed in the authorize section, the detail module logs the request packet.

Return codes

fail The module was unable to access filename.

noop The packet was read from filename, so it will not be written back to that file.

ok The packet was successfully written to filename.

accounting

When listed in the accounting section, the detail module logs the request packet.

Return codes

See authorize, above.

pre-proxy

When listed in the pre-proxy section, the detail module logs the proxy packet.

Return codes

See authorize, above.

post-proxy

When listed in the post-proxy section, the detail module logs the proxy_reply packet.

If there is no proxy_reply packet, and the packet is Accounting-Request, the detail module logs the request packet. This behavior means that when the server fails to proxy an accounting packet, it can log it instead to a detail file. A listen section can then read that file and try to proxy the packet again.

See the robust proxy accounting virtual server for an example of this configuration.

Return codes

See authorize, above.

post-auth

When listed in the post-auth section, the detail module logs the reply packet.

Return codes

See authorize, above.

recv-coa

When listed in the recv-coa section, the detail module logs the request packet.

Return codes

See authorize, above.

send-coa

When listed in the send-coa section, the detail module logs the reply packet.

Return codes

See authorize, above.

Expansions

None.

Directives

filename
Syntax

filename = filename

Default

${radacctdir}/%{​%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d

Description

The filename entry defines a file that is used to log the records. If the file does not exist, it will be created along with any parent directories. The filename string is expanded for every request that is logged.

The default configuration creates a new detail file for every radius client by IP address. In addition, the detail file does not require log rotation because a new detail file is created every day. If the detail files are very large, it is recommended to add a :%H to the end of the entry, e.g., …​/detail-%Y%m%d:%H. This command will cause the creation of a new detail file every hour.

If detail files are viewed via the listen section (e.g., as in raddb/sites-available/robust-proxy-accounting), then a unique directory must be used for each combination of a detail file writer and reader. There can only be one listen section reading detail files from a particular directory.

Note
If radrelay is used, the above line must be deleted for detailfile and the following used instead: detailfile = ${radacctdir}/detail
Note
Do not use the NAS-IP-Address attribute in filename, as that attribute MAY BE from the originating NAS and NOT from the proxy that actually sent the request. Use Packet-Src-IP-Address instead.
permissions
Syntax

permissions = integer

Default

0600

Description

The Unix-style permissions for the log file.

The log file may contain secret or private information about users. It is recommended that the file permissions be kept as restrictive as possible.

group
Syntax

group = string

Default

freerad

Description

The name of the group that will own the log file. If unset, the group is inherited from the gid of the server process.

header
Syntax

header = string

Default

"%t"

Description

Every entry in the detail file has a header, which also serves as a timestamp. The ctime format must be used (see man ctime for details).

locking
Syntax

locking = boolean

Default

yes

Description

Indicates whether or not the module should lock filename while writing to it.

If the detail file reader will be reading this detail file, then this directive should be set to yes. Otherwise, this directive should be set to no.

log_packet_header
Syntax

log_packet_header = boolean

Default

no

Description

Logs the packet source and destination IPs and ports.

suppress
Syntax

suppress { attributes }

Description

Certain attributes such as User-Password are "sensitive" and should not be printed in the detail file. This section lists the attributes that should be suppressed.

The suppress subsection should contain a list of attribute names. These attributes will not be printed in the detail file.

Example suppress section
suppress {
	 User-Password
}