3.107. <AuthLog SYSLOG>

This clause indicates to log authentication successes and failures to the syslog logging facility. You can define as many <AuthLog SYSLOG> clauses as you wish at the top level or within Realm or Handler clauses. Each clause can specify different logging conditions and a different log database. This module was contributed by Carlos Canau (Carlos.Canau@KPNQwest.pt).
<AuthLog SYSLOG> understands also the same parameters as all AuthLogs. For more information, see Section 3.104. <AuthLog xxxxxx>.

3.107.1. Facility

The name of the syslog facility that will be logged to. The default is user.
# Log to the syslog facility called 'auth'
Facility auth

3.107.2. Priority

The syslog priority level that will be used for each log message. Default is info.
# Increase this logger priority to 'notice'
Priority notice

3.107.3. SuccessFormat

This optional parameter specifies the format that is to be used to log authentication successes in Filename when LogFormatHook is not defined. You can use any of the special characters. For more information about special characters, see Section 3.3. Special formatters. %0 is replaced by the message severity level, %1 by the reason string (usually an empty string for success), and %2 by the tracing identifier. The default is %l:%U:%P:OK. This logs time stamp in long format, current User-Name, decoded password and text OK.
CAUTION
The default SuccessFormat logs the plaintext password entered by the user. Some organisations prefer that user passwords are not logged. In that case, SuccessFormat that does not include the %P (decoded password) special character is preferable.

3.107.4. FailureFormat

This optional parameter specifies the format that is to be used to log authentication failures in Filename when LogFormatHook is not defined. You can use any of the special characters defined. For more information about special characters, see Section 3.3. Special formatters. Also %0 is replaced by the message severity level, %1 by the reason string and %2 by the tracing identifier. The default value is %l:%U:%P:FAIL. This logs time stamp in long format, current User-Name, decoded password and text FAIL.
CAUTION
The default FailureFormat logs the plaintext password entered by the user. Some organisations prefer that user passwords are not logged. In that case, FailureFormat that does not include the %P (decoded password) special character is preferable.

3.107.5. IgnoreFormat

This optional parameter specifies the format that is to be used to log ignored authentication requests in Filename when LogFormatHook is not defined. You can use any of the special characters defined. For more information about special characters, see Section 3.3. Special formatters. Also %0 is replaced by the message severity level, %1 by the reason string and %2 by the tracing identifier. The default value is %l:%U:%P:IGNORE. This logs time stamp in long format, current User-Name, decoded password and text IGNORE.
CAUTION
The default IgnoreFormat logs the plaintext password entered by the user. Some organisations prefer that user passwords are not logged. In that case, IgnoreFormat that does not include the %P (decoded password) special character is preferable.

3.107.6. LogSock

This optional parameter specifies what type of socket to use to connect to the syslog server. The possible values are:
  • native
  • eventlog
  • unix
  • inet
    This means that TCP is tried first, then UDP.
  • tcp
  • udp
  • stream
  • pipe
  • console
The default is to use the Sys::Syslog default of native, tcp, udp, unix, pipe, stream, console.
CAUTION
Due to limitations in the Sys::Syslog Perl module, if you have multiple <AuthLog SYSLOG>, <AcctLog SYSLOG> or <Log SYSLOG> clauses and if any one has LogSock defined, all of them must have LogSock defined.
Note
If you use TCP, we recommend you to define both LogHost and LogPort. If you have not defined LogPort and you see error "TCP service unavailable", this means Sys::Syslog is unable to find the destination port. To resolve this, either use LogPort to define the port or add syslog/tcp or syslogng/tcp definitions to /etc/services file. For more information about LogPort, see Section 3.26.10. LogPort.

3.107.7. LogPath

When LogSock is set to unix or stream or pipe, this optional parameter specifies the syslog path. Defaults to _PATH_LOG macro (if your system defines it).
LogPath /run/mysyslog/log.sock

3.107.8. LogHost

When LogSock is set to tcp or udp or inet, this optional parameter specifies the name or address of the syslog host. Defaults to the local host. Special formatters are supported. For more information, see Section 3.3. Special formatters
Note
The LogHost parameter is passed directly to Perl's Sys::Syslog module which will likely do a DNS query for each logged message. This can cause performance problems and high number of DNS requests with verbose log levels. It is recommended to not set LogSock and let the local syslog to do remote logging.
Note
Sys::Syslog does not support IPv6. To log over IPv6, leave LogSock unset and let the local syslog do remote logging over IPv6.
# Log to a remote host via syslog over udp:
LogSock udp
LogHost your.syslog.host.com

3.107.9. LogOpt

This optional parameter allows control over the syslog options passed to Sys::Syslog::openlog. LogOpt is a comma separated list of words from the set:
  • cons
  • ndelay
  • nofatal
  • nowait
  • perror
  • pid
As described in the Perl Sys::Syslog documentation.
Defaults to pid. Special characters are supported.
LogOpt pid,perror

3.107.10. LogIdent

This optional string parameter specifies an alternative ident name Sys::Syslog prepends to every syslog message. Defaults to the executable name used to run radiusd. Special formatters are supported. For more information, see Section 3.3. Special formatters
# Also log server farm instance number
LogIdent %h-%O

3.107.11. LogPort

This optional parameter specifies an alternative TCP or UDP destination port on the syslog host. There is no default, which means Sys::Syslog chooses the port. Here is an example of using LogPort:
LogPort 5514
CAUTION
This parameter requires Sys::Syslog 0.28 or later.

3.107.12. MaxMessageLength

This optional parameter specifies a maximum message length (in characters) for each message to be logged. If specified, each log message is truncated to the specified number of characters prior to logging. Defaults to 0, which means no truncation.