rlm_detail

Synopsis

The detail module writes packet to a "detail" log file in plain-text.

Default configuration

Processing Sections

authorize

When listed in the authorize section, the detail module logs the request packet.

Return codes: fail The module was unable to access filename.
: noop The packet was read from filename, so it will not be written back to that file.
: ok The packet was successfully written to filename.

accounting

When listed in the accounting section, the detail module logs the request packet.

Return codes: See authorize, above.

pre-proxy

When listed in the pre-proxy section, the detail module logs the proxy packet.

Return codes: See authorize, above.

post-proxy

When listed in the post-proxy section, the detail module logs the proxy_reply packet.

If there is no proxy_reply packet, and the packet is Accounting-Request, the detail module logs the request packet. This behavior means that when the server fails to proxy an accounting packet, it can log it instead to a detail file. A listen section can then read that file and try to proxy the packet again.

See the robust proxy accounting virtual server for an example of this configuration.

Return codes: See authorize, above.

post-auth

When listed in the post-auth section, the detail module logs the reply packet.

Return codes: See authorize, above.

recv-coa

When listed in the recv-coa section, the detail module logs the request packet.

Return codes: See authorize, above.

send-coa

When listed in the send-coa section, the detail module logs the reply packet.

Return codes: See authorize, above.

Expansions

None.

Directives

filename

Syntax: filename = filename
Default: ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
Description: The filename entry defines a file that is used to log the records. If the file does not exist, it will be created along with any parent directories. The filename string is expanded for every request that is logged.
: The default configuration creates a new detail file for every radius client by IP address. In addition, the detail file does not require log rotation because a new detail file is created every day. If the detail files are very large, it is recommended to add a :%H to the end of the entry, e.g., …/detail-%Y%m%d:%H. This command will cause the creation of a new detail file every hour.
: If detail files are viewed via the listen section (e.g., as in raddb/sites-available/robust-proxy-accounting), then a unique directory must be used for each combination of a detail file writer and reader. There can only be one listen section reading detail files from a particular directory.

Note	If `radrelay` is used, the above line must be deleted for `detailfile` and the following used instead: `detailfile = ${radacctdir}/detail`

Note	Do not use the `NAS-IP-Address` attribute in `filename`, as that attribute MAY BE from the originating NAS and NOT from the proxy that actually sent the request. Use `Packet-Src-IP-Address` instead.

permissions

Syntax: permissions = integer
Default: 0600
Description: The Unix-style permissions for the log file.
: The log file may contain secret or private information about users. It is recommended that the file permissions be kept as restrictive as possible.

group

Syntax: group = string
Default: freerad
Description: The name of the group that will own the log file. If unset, the group is inherited from the gid of the server process.

header

Syntax: header = string
Default: "%t"
Description: Every entry in the detail file has a header, which also serves as a timestamp. The ctime format must be used (see man ctime for details).

locking

Syntax: locking = boolean
Default: yes
Description: Indicates whether or not the module should lock filename while writing to it.
: If the detail file reader will be reading this detail file, then this directive should be set to yes. Otherwise, this directive should be set to no.

log_packet_header

Syntax: log_packet_header = boolean
Default: no
Description: Logs the packet source and destination IPs and ports.

suppress

Syntax: suppress { attributes }
Description: Certain attributes such as User-Password are "sensitive" and should not be printed in the detail file. This section lists the attributes that should be suppressed.
: The suppress subsection should contain a list of attribute names. These attributes will not be printed in the detail file.

Example suppress section

suppress {
	 User-Password
}