[RADIATOR] Best way to log timeout requests

Heikki Vatiainen hvn at open.com.au
Thu Jun 15 16:10:24 UTC 2023 

On 9.6.2023 0.45, Dubravko Penezic via radiator wrote:

> How to log timeouted requests on RADIATOR when RADIATOR act like proxy 
> server  ?

That's a good question. Here's one solution I came up with:

Start by defining a logger as usual, but ensure it also logs IGNORE result.

# %T is Access-Request, Accounting-Request, etc.
<AuthLog FILE>
         Identifier radius-authlog
         Filename %L/radius-authlog
         LogSuccess
         LogFailure
         LogIgnore
         SuccessFormat %l:%U:%1:OK
         FailureFormat %l:%U:%1:FAIL
         IgnoreFormat %l:%U:%T:%1:IGNORE
</AuthLog>

Within AuthBy RADIUS define a NoReplyHook:

# The 1st argument is the request that Radiator received
# The 2nd argument is the request that Radiator forwarded
# without receiving a reply.
NoReplyHook sub { my $p = ${$_[0]}; \
#     return unless $p->code() eq 'Access-Request'; \
      my $al = Radius::AuthLogGeneric::find('radius-authlog'); \
      $al->authlog($main::IGNORE, 'Timed out', $p) if $al; \
      main::log($main::LOG_ERR, 'NoReplyHook: did not find logger') 
unless $al; }

The above logs all timeouts, including Accounting-Request timeouts, 
using the file authlogger. If you want just Access-Request to be logged, 
remove the comment.

> Basically log is written once request have final state, or state is set 
> by handler, but timeouted request dosnt have finale state.

Correct, that's the reason. But it's ok to get a handle to an 
authentication logger and call it as above.

> It is "big" issue when you try to "debug" some authentication across of 
> RADIUS hierarchy and a lot of proxy server on a path is RADIATOR instance.

A message about timed out request is logged with INFO level but it goes 
to the process logfile. The above should help putting all the results in 
the same file.

> For example FreeRADIUS write FAIL in log if request is timeout.

You can also log with FAIL, but I used IGNORE and a specific reason so 
that it's easier to see which messages timed out.

Note that you can also set up an <AuthLog ...> and use it only to call 
from NoReplyHook. This allows you to have a separate log file just for 
the timed out requests.

Thanks,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list