Accounting Log Files

The Local Authorization Server (LAS) generates accounting log files when the LAS_ACCT module is called by the Finite State Machine. Those files have names in the format session.yyyy-mm-dd.log, where yyyy is the year, mm the month, dd the day when the file was generated.




	NOTE: If the logfile exceeds its size limit (as configured in the File Size Property in the Server Properties link), a new logfile for that day will be created and identified by a part<01-09> portion of the logfile file name string. For example, `/var/opt/aaa/acct/session.yyyy-mm-dd_part<01-09>.log`

By default, the radius.fsm (logall.fsm) state table calls the LAS_ACCT module when the server receives an Accounting-Request to start or stop the session.

Using Server Manager to Retrieve Accounting Logfiles

From the navigation tree, click Accounting to retrieve information from the HP-UX AAA Server accounting logfiles.

Figure 12-4 Accounting Logfile Search Screen in Server Manager

Table 12-3 Accounting Logfile Search Parameters

Option	Description
Begin	The date and time of the first record in the range of data to retrieve.
End	The date and time of the last record in the range of data to retrieve.
User	Only searches for sessions that used the specified ID.

An accounting search returns a list of users. When you select a user to retrieve information for, Server Manager parses the corresponding accounting records and displays the information in the Accounting: Detailed Records screen similar to the example shown in Figure 12-5 “Detailed Accounting Record for a Selected User”.

Figure 12-5 Detailed Accounting Record for a Selected User

Format of Accounting Records in the Default Merit Style

RADIUS accounting records store both the users account information and the users historical session information. Each record begins with a tab-delimited line of values that represent the default HP-UX AAA Server session information. This information includes time-based values, as well as HP-UX-specific and standard RADIUS A-V pairs. If a value does not exist, N/A will appear in the values placeholder.

The first line of a record appears as:

Started-at  Reason  Log-time  resrvd  Connect-time  Access-ID  resrvd
   Session   Token  Time-limit From  Service-class Filter Service-type

After the first line of a session record, each A-V pair in the accounting message that triggered the logging activity is listed.




	NOTE: The default session format (Merit) corresponds to the log_v2_0 setting for the aatv parameter in the `log.config` file, refer to “The log.config File ”. Alternate formats, Livingston for example, may be specified.

Time-Based Values

Started at:: This is the time when the session first arrived at the RADIUS server. It is the number of seconds since 00:00:00 GMT, Jan. 1, 1970.
Log-time:: This is the difference between the time on the machine where and when this log was written, and the start-time. This field is used to compress the data.
Connect time:: How long (in seconds) the session was known to the local AAA Server host.

Client A-V Pairs

Represent attribute values that describe the client used for authentication and authorization.

User Entry A-V Pairs

The Access-ID, Time-limit, Service-class, and Filter values correspond to A-V pairs (User-Name, Huntgroup-Name, Session-Timeout, Service-Class, and Filter-Id) that exist in the user profile that corresponds to the session record.

Session Tracking

These non-configurable attributes are used by the server to track sessions.

Reason:: Why the record was generated. This is an integer that may be any one of the following:

Table 12-4 Reasons Why The Record Was Generated

Reason	Integer	Billed/ Info	Description
`AC_NORMAL`	0	Billed	Normal disconnect: Modem-Stop record was received for this session.
`AC_REJECT`	1	Info	Rejected by this LAS: Access rejected by this LAS.
`AC_CANCEL`	2	Info	Access rejected by someone: Access was rejected after session was authorized. Modem-Cancel record was received for this session.
`AC_OVERTIME`	4	Billed	Session over maximum time allowed: Session was on for longer than was authorized.
`AC_UNKNOWN`	5	Billed	Session ended for unknown reason: Stop (instead of Modem-Stop) record was received for this session.
`AC_NOTOKEN`	6	Info	Rejected by LAS: no token was available for this session.
`AC_NOTLOCAL`	7	Billed	Session not local: This session was not local to this LAS, but Modem-Stop was received.
`AC_SUSPEND`	8	Billed	Session suspended: No checkpoint was received for this session for SESSIONIDLETIME seconds.
`AC_FAILED`	9	Info	Authentication failed.
`AC_AUTHORIZED`	10	Info	Session authorized: This record is intended for statistics only.
`AC_NASREBOOT`	11	Info	The session is released due to NAS reboot.
`AC_REMOTE`	12	Info	The session is for a remote server, failed to forward.
`AC_DUPLICATE`	13	Info	Duplicate accounting record received: This record is intended for statistics only.
`AC_COLLISION`	14	Billed	The session is released due to a NAS and port collision.

Session:: Session identifier, an arbitrary string with a maximum length of eight. The algorithm used to generate a session identifier. The first four characters are the least significant four hexadecimal digits from the time when the session first arrived at the access server. the last four characters represent an internal counter, displayed in hexadecimal notation, in the access server.




	NOTE: The session identifier is stored in the RADIUS Class attribute and used internally by the HP-UX AAA Server.

Writing Livingston CDR Accounting Records

It is not possible to make these changes through the Server Manager graphic interface, you must modify configuration files with a text editor.

Open the log.config configuration file (found in /etc/opt/aaa by default).

Locate the following lines, which should be found at the beginning of the file:

# Default logging configuration if there is no log.config file.
#
stream        *default* {
    aatv      log_v2_0
    buffer    1
    close     on
    filename  session.%Y-%m-%d.log
    update    900
    wrap      3 
}
end

Change aatv log_v2_0 to aatv log_acct.
Save and close the file.
Restart the server if it is currently running.

Livingston CDR Session Record Format

Each record of a user’s session begins with Date and Time and a list of Attribute-Value pairs, one below the other. This information includes time-based values as well as specific and standard RADIUS A-V pairs.

Date and time             
        User-Name = <>
        NAS-IP-Address = <>
        NAS-Port = <>
        Class = <>
        Acct-Status-Type = <>
        User-Identifier = <>
        NAS-Identifier = <>
        Date-Time = <>
        Time-Of-Day = <>
        Day-Of-Week = <>
        User-Realm = <>
        LAS-Start-Time = <>
        LAS-Code = <>
        LAS-Duration = <>

The above session record will also include any additional A-V pairs that were included in an Accounting-Request message. The attribute value pair displayed above may differ depending on the server configuration.




	NOTE: Merit is the default logging format.

Changing the Accounting Log Filename

Open the log.config configuration file (found in /etc/opt/aaa by default).

Locate the following lines, which should be found at the beginning of the file:

# Default logging configuration if there is no log.config file.
#
stream        *default* {
    aatv      log_v2_0
    buffer    1
    close     on
    filename  session.%Y-%m-%d.log
    update    900
    wrap      3 
}
end

Change session.%Y-%m-%d.log to the filename syntax you wish to use.
Save and close the file.
Restart the server if it is currently running.

Changing the Accounting Log Rollover Interval

The log rollover interval (how often a new log file is created to store accounting records) is determined by the timestamp portion of the filename. To change the interval follow the steps in “Changing the Accounting Log Filename”. The logging interval will change to the smallest unit of time in the timestamp portion of the filename. For example,%Y-%m-%d-%H, will change the rollover interval to hourly.

Rolling Over the Log File and Accounting Stream

You can roll over the server log file and accounting stream using the radsignal command as follows:

radsignal [-h] [-v] [[-di ipcdir] pid level ] [[-di ipcdir] pid roll logfile ] [[-di ipcdir] pid roll stream [stream-name]]

Where:

pid: The process ID of radiusd. This can be determined with the command
% ps -eaf | grep radiusd.
level: One of the following debug levels to set: 0 Debug logging disabled. 1 Minimal information. 2 Level 1 information, high-level FSM output and some function tracing. 3 Level 2 information and complete function tracing. 4 Level 3 information along with low-level FSM and configuration file output.
roll: Immediately roll the log file or an accounting stream. This should be used along with the keywords logfile or stream.
logfile: The AAA Server log file.
stream stream-name: The AAA server accounting stream. If stream-name is not specified then the default stream ( *default* ) will be used. This should be used along with the keyword roll.

radsignal has the following options:

-h: Displays a help message.
-v: Displays version information.
-di ipcdir: The directory where the radiusd shared memory files are located. If omitted, the default is /var/opt/aaa/ipc.

See the radsignal manpage for more information.