Remotely monitoring server activity

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

Remotely monitoring server activity

R3DNano
I'm trying to manage the global freeradius status from a remote location.
The files under /var/log/radius/radacct are pretty detailed and have a
lot of information about what is going on with the freeradius server.
However, searching the old mailing list archives, I see there's a
particular thread of someone asking how to send the radacct logs to a
remote syslog being not a recommended practice.

What's a practical way of having this information for further analysis
outside of the freeradius server? Send it to an SQL database somehow
perhaps?

Also, about the logs sent to syslog (for further forwarding to a
remote syslog server) - is there a way to customize what's being sent
on those messages?

Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Remotely monitoring server activity

Alan DeKok-2
On Feb 6, 2019, at 9:44 AM, R3DNano <[hidden email]> wrote:
>
> I'm trying to manage the global freeradius status from a remote location.
> The files under /var/log/radius/radacct are pretty detailed and have a
> lot of information about what is going on with the freeradius server.
> However, searching the old mailing list archives, I see there's a
> particular thread of someone asking how to send the radacct logs to a
> remote syslog being not a recommended practice.

  Why not?  It's fine.

> What's a practical way of having this information for further analysis
> outside of the freeradius server? Send it to an SQL database somehow
> perhaps?
>
> Also, about the logs sent to syslog (for further forwarding to a
> remote syslog server) - is there a way to customize what's being sent
> on those messages?

  No.  The server messages can't be customized.  There are literally hundreds of different messages.

  If you need *additional* custom messages, see the "linelog" module.  It can do custom log messages to syslog.  You can then use "linelog" any place you want additional logging.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Remotely monitoring server activity

Jorge Pereira
In reply to this post by R3DNano
On Wed, Feb 6, 2019 at 12:45 PM R3DNano <[hidden email]> wrote:
>
> I'm trying to manage the global freeradius status from a remote location.
> The files under /var/log/radius/radacct are pretty detailed and have a
> lot of information about what is going on with the freeradius server.
> However, searching the old mailing list archives, I see there's a
> particular thread of someone asking how to send the radacct logs to a
> remote syslog being not a recommended practice.
>

I did something similar using the syslog-ng with pattern-db
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.19/administration-guide/72#TOPIC-1094740

> What's a practical way of having this information for further analysis
> outside of the freeradius server? Send it to an SQL database somehow
> perhaps?
>
> Also, about the logs sent to syslog (for further forwarding to a
> remote syslog server) - is there a way to customize what's being sent
> on those messages?
>
> Thanks.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Remotely monitoring server activity

Niels Tomey
We're using graylog at work to interpret syslog messages. You can create
alerts if for example more than x login attempts failed within a certain
time frame and then get notified about it. You just need to define a grok
pattern for it.

You could also use process monitoring through SNMP to get an alert when
something happens to the radius process itself.

Regards,

Niels

On Thu, Feb 7, 2019, 00:35 Jorge Pereira <[hidden email] wrote:

> On Wed, Feb 6, 2019 at 12:45 PM R3DNano <[hidden email]> wrote:
> >
> > I'm trying to manage the global freeradius status from a remote location.
> > The files under /var/log/radius/radacct are pretty detailed and have a
> > lot of information about what is going on with the freeradius server.
> > However, searching the old mailing list archives, I see there's a
> > particular thread of someone asking how to send the radacct logs to a
> > remote syslog being not a recommended practice.
> >
>
> I did something similar using the syslog-ng with pattern-db
>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.19/administration-guide/72#TOPIC-1094740
>
> > What's a practical way of having this information for further analysis
> > outside of the freeradius server? Send it to an SQL database somehow
> > perhaps?
> >
> > Also, about the logs sent to syslog (for further forwarding to a
> > remote syslog server) - is there a way to customize what's being sent
> > on those messages?
> >
> > Thanks.
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Remotely monitoring server activity

Jorge Pereira
Btw, I don't know about your business. But, send to an ElasticSearch
could be a great way to do analytics. Think about it.
--
Jorge Pereira

On Wed, Feb 6, 2019 at 2:45 PM Niels Tomey <[hidden email]> wrote:

>
> We're using graylog at work to interpret syslog messages. You can create
> alerts if for example more than x login attempts failed within a certain
> time frame and then get notified about it. You just need to define a grok
> pattern for it.
>
> You could also use process monitoring through SNMP to get an alert when
> something happens to the radius process itself.
>
> Regards,
>
> Niels
>
> On Thu, Feb 7, 2019, 00:35 Jorge Pereira <[hidden email] wrote:
>
> > On Wed, Feb 6, 2019 at 12:45 PM R3DNano <[hidden email]> wrote:
> > >
> > > I'm trying to manage the global freeradius status from a remote location.
> > > The files under /var/log/radius/radacct are pretty detailed and have a
> > > lot of information about what is going on with the freeradius server.
> > > However, searching the old mailing list archives, I see there's a
> > > particular thread of someone asking how to send the radacct logs to a
> > > remote syslog being not a recommended practice.
> > >
> >
> > I did something similar using the syslog-ng with pattern-db
> >
> > https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.19/administration-guide/72#TOPIC-1094740
> >
> > > What's a practical way of having this information for further analysis
> > > outside of the freeradius server? Send it to an SQL database somehow
> > > perhaps?
> > >
> > > Also, about the logs sent to syslog (for further forwarding to a
> > > remote syslog server) - is there a way to customize what's being sent
> > > on those messages?
> > >
> > > Thanks.
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Remotely monitoring server activity

Selahattin Cilek
In reply to this post by R3DNano
"syslog-ng" has everything you need. By writing some script code, you
can do almost anything with logging data. You can write both to flat
files and SQL servers.

If you're running it on FreeBSD, note that the capability of writing to
SQL does not come out of the box if you install it using "pkg." To make
a custom install, you must install it from ports.

FreeRADIUS is not logging software. You must configure your system to
send all the logging data to your logging server.



On 6.02.2019 17:44, R3DNano wrote:

> I'm trying to manage the global freeradius status from a remote location.
> The files under /var/log/radius/radacct are pretty detailed and have a
> lot of information about what is going on with the freeradius server.
> However, searching the old mailing list archives, I see there's a
> particular thread of someone asking how to send the radacct logs to a
> remote syslog being not a recommended practice.
>
> What's a practical way of having this information for further analysis
> outside of the freeradius server? Send it to an SQL database somehow
> perhaps?
>
> Also, about the logs sent to syslog (for further forwarding to a
> remote syslog server) - is there a way to customize what's being sent
> on those messages?
>
> Thanks.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Remotely monitoring server activity

R3DNano
In reply to this post by Alan DeKok-2
Ok, Will give it a try.

Thank you.


On Wed, Feb 6, 2019 at 4:22 PM Alan DeKok <[hidden email]> wrote:

> On Feb 6, 2019, at 9:44 AM, R3DNano <[hidden email]> wrote:
> >
> > I'm trying to manage the global freeradius status from a remote location.
> > The files under /var/log/radius/radacct are pretty detailed and have a
> > lot of information about what is going on with the freeradius server.
> > However, searching the old mailing list archives, I see there's a
> > particular thread of someone asking how to send the radacct logs to a
> > remote syslog being not a recommended practice.
>
>   Why not?  It's fine.
>
> > What's a practical way of having this information for further analysis
> > outside of the freeradius server? Send it to an SQL database somehow
> > perhaps?
> >
> > Also, about the logs sent to syslog (for further forwarding to a
> > remote syslog server) - is there a way to customize what's being sent
> > on those messages?
>
>   No.  The server messages can't be customized.  There are literally
> hundreds of different messages.
>
>   If you need *additional* custom messages, see the "linelog" module.  It
> can do custom log messages to syslog.  You can then use "linelog" any place
> you want additional logging.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Remotely monitoring server activity

Alan Buxey
In reply to this post by Jorge Pereira
hi,

> Btw, I don't know about your business. But, send to an ElasticSearch
> could be a great way to do analytics. Think about it.

+1 for this.  lots of data getting pumped out, easier to search through it etc.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html