I installed freeradius
3.0.16 on Ubuntu (bionic) and it works fine.
However, the logging in /var/log/freeradius.log
is too verbose for my taste:
# cut -d: -f4 radius.log | sort | uniq -c
609 Auth
22 Error
261 ERROR
2262 Info
51 Warning
I'd like to get rid of all thos Info
level entries. In fact, they are extremely repetitive and apparently flood the log simply because a single person runs around in the building with their iPhone in their pocket and the house wlan activated but they forgot to update the password:
ERROR: (2368) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
Auth: (2368) Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): [redactedusername] (from client redactedclient port 0 via TLS tunnel)
Info: (2369) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Info: (2369) eap_peap: to find out the reason why the user was rejected
Info: (2369) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Info: (2369) eap_peap: what went wrong, and how to fix the problem
Auth: (2369) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [redactedusername] (from client redactedclient port 1 cli 94-27-90-4B-B8-42)
And I could also live without other (but less frequent) Info messages such as
Info: Need 6 more connections to reach 10 spares
Q: Where do I configure the logging severity threshold (globally or perhaps only for the eap module) to not log Info messages?
The inline documentation in the config files seems to be silent on that issue. If I used syslog (log { destination = syslog }
), I could filter the severity in the syslog
configuration. But where do I do it when logging to file (log { destination = files }
)?
You can remove the "Login incorrect" messages by toggling auth_reject.
I believe in later versions the connection pool messages have been switching to debug messages, so you shouldn't see those, if you upgrade to the latest v3.0.x release.
For the rest - In v3.0.x you don't have much control over global Info/Auth/Warning/Error messages. There shouldn't be that many of them, except unfortunately it appears some areas of the code are using overly verbose logging macros.
For the eap_peap
messages it should be REDEBUG
to indicate it's a request specific error instead of INFO
or RINFO
which indicates it's a global information message. Same with the "Program returned code" message. It should be REDEBUG
not RERROR
or ERROR
. Feel free to submit a PR.
User contributions licensed under CC BY-SA 3.0