RADIUS Server Log Files

The server log file records RADIUS events, such as server startup or shutdown or user authentication or rejection, as a series of messages in an ASCII text file. Each line of the server log file identifies the date and time of the RADIUS event, followed by event details. You can open the current log file while RADIUS is running.

Log Rotation

Log rotation prevents RADIUS server logs from growing indefinitely. You can rotate RADIUS server log files by date or size:

  • By default, RADIUS server log files are rotated daily with a filename extension that specifies the year, month, and day. You can rotate log files daily, weekly, or monthly.

    The current log file is named radius.log, and rotated log files are named radius.log-YYYYMMDD, where YYYYMMDD specifies the date. For example:

    -rw------- 1 rsaadmin rsaadmin 120 Dec 3 00:36 radius.log-20201203

    -rw------- 1 rsaadmin rsaadmin 3613 Dec 4 00:37 radius.log

  • To rotate log files by size, instead of date, use the size parameter in the radiusd file to specify a maximum size for a server log file. By default, the size parameter is commented out and set to 0.

    The current log file is named radius.log, and rotated log files are named radius.log.n, where n is 1, 2, 3, and so forth. For example, the most recent rotated log file is named radius.log.1. When radius.log reaches the maxium size, a new radius.log file is created, the current radius.log file is rotated and renamed radius.log.1, and the previous radius.log.1 file is renamed radius.log.2.

    The size option is mutually exclusive with the time interval options (daily, weekly, or monthly). If you specify the size option after you specify time criteria, then log files are rotated without regard for the last rotation time. The last specified option takes precedence.

Use SSH to configure RSA RADIUS log rotation in the /etc/logrotate.d/radiusd file. For instructions, see the RSA Authentication Manager RADIUS Reference Guide.

Debugging Level

By default, RSA RADIUS debugging is turned off. You can enable additional logging to obtain useful information for troubleshooting. Change the debug_level to 1 or 2, depending upon how much information you want to log:

debug_level=0

Entering any invalid value, such as 3, resets the debug_level to the default value of 0.

Note: Do not change the "suppress_secrets = yes" configuration. Changing this value to "no" would log the user passcode and the client shared secret in plain text at log level 1 and 2.

RSA RADIUS debugging is configured by editing the radiusd.conf file in the Operations Console. For instructions, see Edit RADIUS Server Files.