[RADIATOR] ServerTACACSPLUS logging improvements

Hartmaier Alexander alexander.hartmaier at t-systems.at
Tue May 31 04:57:17 CDT 2016 


On 2016-05-30 11:31, Heikki Vatiainen wrote:
> On 27.5.2016 16.04, Hartmaier Alexander wrote:
>
>> The log messages emitted by ServerTACACSPLUS sadly lack all the standard
>> Radius attributes like Handler:Identifier, User-Name, Client-Identifier etc.
>> Is there a way to improve this situation?
> We can, and have already thought about, adding $p (the current request
> object, or sometimes $rp, the reply object) to a number of log messages
> that happen within message context. That is, where $p or $rp is available.
>
> The request/reply object should provide more information about handlers,
> clients, etc.
That would be great!
>
>> The log messages in question are:
>> - Could not get peer name on TacacsplusConnection socket: Transport
>> endpoint is not connected
> Hmm, that's happening very early withing server tacacsplus, so there's
> no request, client, etc is available yet. Improvements here may be
> small, if any.
Than please at least add more information to the error message itself so
that at least the misbehaving client can be identified.
>
>> - Authorization permitted for $USERNAME at $IPADDR, group $GROUPNAME,
>> args service=shell cmd*
> Should be possible, not completely sure yet though.
Access to $p and $rp would solve the problem here as well I guess.
>
>> But there are also non-ServerTACACSPLUS messages that don't include
>> those infos where it would be nice to know which Handler/AuthBy
>> trigggered them (those come from an AuthBy LDAP2, but which one?):
>> - Connecting to 1.2.3.4:636 1.2.3.5:636
>> - Connected to 1.2.3.4:636
>> - Attempting to bind to LDAP server 1.2.3.4:636
> These should be possible. Sometimes, for example with ClientList LDAP,
> the functions that log these are not called within message context. In
> other words, depending on the log caller, the call may or may not
> include the request that provides Client etc, information.
>
> I'll notify via this list when I have more information about these
>
> Thanks,
> Heikki
>
Thank you very much Heikki!!!


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

More information about the radiator mailing list