configure log verbosity of freeradius

0

I installed freeradius 3.0.16 on Ubuntu (bionic) and it works fine. However, the logging in /var/log/freeradius.log is too verbose for my taste:

# cut -d: -f4 radius.log | sort | uniq -c
    609  Auth
     22  Error
    261  ERROR
   2262  Info
     51  Warning

I'd like to get rid of all thos Info level entries. In fact, they are extremely repetitive and apparently flood the log simply because a single person runs around in the building with their iPhone in their pocket and the house wlan activated but they forgot to update the password:

ERROR: (2368) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
Auth: (2368)   Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): [redactedusername] (from client redactedclient port 0 via TLS tunnel)
Info: (2369) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
Info: (2369) eap_peap:   to find out the reason why the user was rejected
Info: (2369) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
Info: (2369) eap_peap:   what went wrong, and how to fix the problem
Auth: (2369) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [redactedusername] (from client redactedclient port 1 cli 94-27-90-4B-B8-42)

And I could also live without other (but less frequent) Info messages such as

Info: Need 6 more connections to reach 10 spares

Q: Where do I configure the logging severity threshold (globally or perhaps only for the eap module) to not log Info messages?

The inline documentation in the config files seems to be silent on that issue. If I used syslog (log { destination = syslog }), I could filter the severity in the syslog configuration. But where do I do it when logging to file (log { destination = files })?

logging
freeradius

1 Answer

1

You can remove the "Login incorrect" messages by toggling auth_reject.

I believe in later versions the connection pool messages have been switching to debug messages, so you shouldn't see those, if you upgrade to the latest v3.0.x release.

For the rest - In v3.0.x you don't have much control over global Info/Auth/Warning/Error messages. There shouldn't be that many of them, except unfortunately it appears some areas of the code are using overly verbose logging macros.

For the eap_peap messages it should be REDEBUG to indicate it's a request specific error instead of INFO or RINFO which indicates it's a global information message. Same with the "Program returned code" message. It should be REDEBUG not RERROR or ERROR. Feel free to submit a PR.

answered on Stack Overflow Oct 20, 2019 by Arran Cudbard-Bell • edited Oct 20, 2019 by Arran Cudbard-Bell

User contributions licensed under CC BY-SA 3.0