Accounting Log Files

The Local Authorization Server (LAS) generates accounting log files when the LAS_ACCT module is called by the Finite State Machine. Those files have names in the format session.yyyy-mm-dd.log, where yyyy is the year, mm the month, dd the day when the file was generated. By default, the radius.fsm (logall.fsm) state table calls the LAS_ACCT module when the server receives an Accounting-Request to start or stop the session. If only stop sessions need to be logged, then use logstop.fsm as AAA Server radius.fsm file. logall.fsm and logstop.fsm are located at /opt/aaa/examples/config.

Using Server Manager to Retrieve Accounting Logfiles

Selecting the Accounting link in Server Manager's Navigation Tree allows you to retrieve information from the AAA server accounting logfiles.

Figure 7-5 Accounting Logfile Search Screen in Server Manager

Table 7-4 Accounting Logfile Search Parameters

Option	Description
Begin	The date and time of the record to begin retrieving data from.
End	The date and time of the last record to retrieve data from.
User	Only searches for sessions that used the specified ID.

An accounting search returns a list of users. When you select a user to retrieve information for, Server Manager parses the corresponding accounting records and displays the information in the Accounting: Detailed Records screen similar to the following example:

Figure 7-6 Detailed Accounting Record for a Selected User

Format of Accounting Records in the Default Merit Style

RADIUS accounting records store both the users account information and the users historical session information. Each record begins with a tab-delimited line of values that represent the default RAD-Series session information. This information includes time-based values, as well as Interlink-specific and standard RADIUS A-V pairs. If a value does not exist, N/A will appear in the values placeholder.

The first line of a record appears as:

Started-at  Reason  Log-time  resrvd  Connect-time  Access-ID  resrvd
   Session   Token  Time-limit From  Service-class Filter Service-type

After the first line of a session record, each A-V pair in the accounting message that triggered the logging activity is listed.




	NOTE: The default session format corresponds to the `log_v2_0` setting for the `aatv` parameter in the `log.config` file, refer to “log.config ”. Alternate formats, Livingston for example, may be specified.

Time-Based Values

Started at:: This is the time when the session first arrived at the RADIUS server. It is the number of seconds since 00:00:00 GMT, Jan. 1, 1970.
Log-time:: This is the difference between the time on the machine where and when this log was written, and the start-time. This field is used to compress the data.
Connect time:: How long (in seconds) the session was known to the local Interlink Networks AAA Server host.

Client A-V Pairs

From represent attribute values that describe the client used for authentication and authorization.

User Entry A-V Pairs

The Access-ID, Time-limit, Service-class, and Filter values correspond to A-V pairs (User-Name, Huntgroup-Name, Session-Timeout, Service-Class, and Filter-Id) that exist in the user profile that corresponds to the session record.

Session Tracking

These non-configurable attributes are used by the server to track sessions.

Reason:: Why the record was generated. This is an integer that may be any one of the following:

Table 7-5 Reasons Why The Record Was Generated

Reason			Description
AC_NORMAL	0	Billed	Normal disconnect: Modem-Stop record was received for this session.
AC_REJECT	1	Info	Rejected by this LAS: Access rejected by this LAS.
AC_CANCEL	2	Info	Access rejected by someone: Access was rejected after session was authorized. Modem-Cancel record was received for this session.
AC_OVERTIME	4	Billed	Session over maximum time allowed: Session was on for longer than was authorized.
AC_UNKNOWN	5	Billed	Session ended for unknown reason: Stop (instead of Modem-Stop) record was received for this session.
AC_NOTOKEN	6	Info	Rejected by LAS: no token was available for this session.
AC_NOTLOCAL	7	Billed	Session not local: This session was not local to this LAS, but Modem-Stop was received.
AC_SUSPEND	8	Billed	Session suspended: No checkpoint was received for this session for SESSIONIDLETIME seconds.
AC_FAILED	9	Info	Authentication failed.
AC_AUTHORIZED	10	Info	Session authorized: This record is intended for statistics only.
AC_NASREBOOT	11	Info	The session is released due to NAS reboot.
AC_REMOTE	12	Info	The session is for a remote server, failed to forward.
AC_DUPLICATE	13	Info	Duplicate accounting record received: This record is intended for statistics only.
AC_COLLISION	14	Billed	The session is released due to a NAS and port collision.

Session:

Session identifier, an arbitrary string with a maximum length of eight. The algorithm used to generate a session identifier. The first four characters are the least significant four hexadecimal digits from the time when the session first arrived at the access server. the last four characters represent an internal counter, displayed in hexadecimal notation, in the access server.




	NOTE: The session identifier is stored in the RADIUS Class attribute and used internally by the AAA server.

Writing Livingston CDR Accounting Records

It is not possible to make these changes through the Server Manager graphic interface, you must modify configuration files with a text editor.




	NOTE: When you change to the Livingston CDR format, logs will be stored in an alternate directory (/var/opt/aaa/radacct by default) location.

Open the log.config configuration file (found in /etc/opt/aaa by default).

Locate the following lines, which should be found at the beginning of the file:

# Default logging configuration if there is no log.config file.
#
stream        default     {
    aatv      log_v2_0
    buffer    1
    close     on
    filename  session.%Y-%m-%d.log
    update    900
    wrap      3 
}
end

Change aatv log_v2_0 to aatv log_acct.
Save and close the file.
Restart the server if it is currently running.

Livingston CDR Session Record Format

Each record of a user's session begins with Date and Time and a list of Attribute-Value pairs, one below the other. This information includes time-based values as well as specific and standard RADIUS A-V pairs.

Date and time             
        User-Name = <>
        NAS-IP-Address = <>
        NAS-Port = <>
        Class = <>
        Acct-Status-Type = <>
        User-Identifier = <>
        NAS-Identifier = <>
        Date-Time = <>
        Time-Of-Day = <>
        Day-Of-Week = <>
        User-Realm = <>
        LAS-Start-Time = <>
        LAS-Code = <>
        LAS-Duration = <>

The above session record will also include any additional A-V pairs that were included in an Accounting-Request message. The attribute value pair displayed above may differ depending on the server configuration.




	NOTE: Merit is the default logging format.

Changing the Accounting Log Filename

Open the log.config configuration file (found in /etc/opt/aaa by default).

Locate the following lines, which should be found at the beginning of the file:

# Default logging configuration if there is no log.config file.
#
stream        default     {
    aatv      log_v2_0
    buffer    1
    close     on
    filename  session.%Y-%m-%d.log
    update    900
    wrap      3 
}
end

Change session.%Y-%m-%d.log to the filename syntax you wish to use.
Save and close the file.
Restart the server if it is currently running.

Changing the Accounting Log Rollover Interval

The log rollover interval (how often a new log file is created to store accounting records) is determined by the timestamp portion of the filename. To change the interval follow the steps in the To Change the Accounting Log Filename procedure. The logging interval will change to the finest unit of time in the timestamp portion of the filename. For example,%Y-%m-%d-%H, will change the rollover interval to hourly.