log

auth = boolean

no

Logs authentication requests to the log file.

auth_badpass = boolean

no

Logs passwords with the authentication requests: logs password if it’s rejected.

auth_goodpass = boolean

no

Logs passwords with the authentication requests: logs password if it’s correct.

colourise = boolean

yes

Highlights important messages sent to stderr and stdout.

Option will be ignored (disabled) if output of TERM is not an xterm or output is not to a TTY.

destination = string

files

Destination for log messages. This can be one of:

The command-line option "-X" overrides this option and forces logging to go to stdout.

file = filename

${logdir}/radius.log

If destination = "files", then the logging messages for the server are appended to the tail of this file. If the server is running in debugging mode, then this file is NOT used.

msg_denied = string

"You are already logged in - access denied"

The message when the user exceeds the Simultaneous-Use limit.

msg_badpass = string

""

Logs additional text at the end of the Login OK messages. For this directive to work, the auth and auth_badpass configurations have to be set to yes.

The strings below are dynamically expanded, which means that they can be anything. However, note that this expansion can be slow and can negatively impact server performance.

msg_goodpass = string

""

Logs additional text at the end of the Login OK messages. For this directive to work, the auth and auth_goodpass configurations have to be set to yes.

The strings below are dynamically expanded, which means that they can be anything. However, note that this expansion can be slow and can negatively impact server performance.

requests = filename

${logdir}/radiusd-%\{​%{Virtual-Server}:-DEFAULT}-%Y%m%d.log

If this configuration parameter is set, then log messages for a request go to this file, rather than to radius.log. In other words, this file becomes a log file per request, once the server has accepted the request as being from a valid client. Messages that are not associated with a request still go to radius.log.

Not all log messages in the server core have been updated to use this new internal API. As a result, some messages will still go to radius.log.

The file name is expanded dynamically. Only server-side attributes should be used for the filename (e.g., things that can be controlled). Using this feature may also slow down the server substantially, especially if things like SQL calls are used as part of the expansion of the filename.

To avoid having the log messages distributed over multiple files, the name of the log file should use attributes that don’t change over the lifetime of a request, such as User-Name, Virtual-Server, or Packet-Src-IP-Address.

Logging can be enabled for an individual request by a special dynamic expansion macro: %{debug: 1}, where the debug level for this request is set to '1' (or 2, 3, etc.); e.g.,

The attribute to which value is assigned is unimportant and should be a "throw-away" attribute with no side effects.

stripped_names = boolean

no

Logs the full User-Name attribute, as it was found in the request.

syslog_facility = string

daemon

Which syslog facility to use, if ${destination} == "syslog". The exact values permitted here are OS-dependent. This value probably should not be changed.