Logging user authentication and accounting requests

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Logging user authentication and accounting requests

You can use IAS to create log files based on the authentication and accounting requests received from access servers, and collect this information in a central location. By setting up and using log files to track authentication information, such as each connection accept and connection reject, you can simplify administration of your service. You can set up and use logs to track accounting information (such as logon and logoff records) to maintain records for billing purposes.

When you set up logging, you can specify:

  • Which requests are logged.

  • The log-file format.

  • How often new logs are started.

  • Automatic deletion of the oldest log file when the disk is full.

  • Where log files are recorded.

  • What the log file records contain.

You can use the IAS console to specify which requests are logged. For more information, see Select requests to be logged.

You can use the IAS console to specify the log-file format, how often new logs are started, and where log files are recorded. For more information, see Configure log file properties.

Which requests are logged

You can select the following types of requests to log:

  • Accounting requests, including the following:

    • Accounting-on requests, which are sent by the access server to indicate that it is online and ready to accept connections.

    • Accounting-off requests, which are sent by the access server to indicate that it is going offline.

    • Accounting-start requests are sent by the access server (after the user is accepted by the IAS server) to indicate the start of a user session.

    • Accounting-stop requests are sent by the access server to indicate the end of a user session.

  • Authentication requests, including the following:

    • Authentication requests are sent by the access server on behalf of the connecting user. These entries in the log contain only incoming attributes.

    • Authentication accepts and rejects, which are sent by IAS to the access server, indicating whether the user should be accepted or rejected. These entries contain only outgoing attributes.

  • Periodic status, which is used to obtain interim accounting requests sent by some access servers during sessions.

    Accounting-interim requests, which are sent periodically by the access server during a user session. This type of request can be used when the Acct-Interim-Interval RADIUS attribute is configured to support periodic requests in the remote access profile on the IAS server.

Notes

  • All types of request logging are disabled by default.

  • Initially, it is recommended that you enable the logging of accounting and authentication requests. You can refine your logging methods after you determine which data best matches your needs.

  • You can also log accounting, authentication, and periodic status to a SQL Server database. For more information, see SQL Server database logging.

The log-file format

You can configure your IAS servers to log data with either the IAS format or the database-import log format.

  • If you select the IAS format, attributes are logged in the form of attribute-value pairs. This format has the following characteristics:

    • The sequence of the attributes is dependent on the access server that is sending a request.

    • The logged attributes include RADIUS standard, IAS-specific, and vendor-specific.

    • All attributes that contain unprintable characters or any delimiters are printed in hexadecimal format (for example, 0x026).

  • If you select the database-import log format, attributes are logged in a format that supports importing the log into databases. This format has the following characteristics:

    • The attributes of all records are recorded in the same sequence (predefined by IAS), regardless of which access server sent the request.

    • If the attribute is not present in the request or reply (for example, if an attribute is not received from the access server), then the field in the log is empty.

    • The specific set of attributes that are logged is in a sequence that is predefined in IAS. Although the attributes included in this set are limited in number, they are those that are generally most useful in request tracking and analysis.

Notes

  • IAS format is enabled by default.

  • Switching log file formats does not cause a new log to be created. If you change log file formats, the file that is active at the time of the change will contain a mixture of the two formats (that is, records at the start of the log have the previous format and records at the end of the log have the new format).

How often new logs are started

When you configure your servers, you can specify whether new logs are started daily, weekly, monthly, or after the log reaches a specific size. You can also specify that a single log is maintained continually (regardless of file size), but this is not recommended. The file naming convention for logs is determined by the amount of time that each log is used, which you specify by setting the change frequency. If the log file change frequency is Daily, the log file name format is inyymmdd (where y is year, m is month, and d is day).log. If the log file change frequency is Weekly, the log file name format is inyymmww.log (where w is week). If the log file change frequency is Monthly, the log file name format is inyymm.log. Following are some example log file names:

Log file name Change frequency File creation date

in020528.log

Daily

May 28, 2002

in020304.log

Weekly

The fourth week of March, 2002

in0304.log

Monthly

April, 2003

Notes

  • By default, the new log file change frequency is set to Monthly.

  • When the log file change frequency is Never (unlimited file size), the IAS log file is named iaslog.log.

  • When the log file change frequency is When log file reaches this size, the file name is iaslogn**.log**, where n represents the maximum size of the file.

Automatic deletion of the oldest log file when the disk is full

You can specify whether IAS deletes the oldest log file when the disk is full. IAS determines which file is oldest by checking the file name rather than the time stamp. The currently configured log file change frequency (where new files are created at either a specified time or when the current file reaches a specified size) determines which log file IAS deletes.

IAS only deletes the oldest file from the same change frequency--it does not delete a file with a different file name format. For example, if the currently configured log file change frequency is set to Monthly (which has a log file name format of inyymm**.log**), IAS will not delete a log file named in021231.log even if it is the oldest log file, because the log file name and name format indicate that it was created with the change frequency set to Daily. The only time that IAS might delete a file from another change frequency occurs when the two change frequency settings are Daily and Weekly, and the file name can be interpreted both as one of the first four days of the month and as one of the four weeks of the month, as demonstrated in the following examples:

The file name Is interpreted as both

in020501.log

A Daily file created on May 1, 2002 or a Weekly file created in the first week of May, 2002.

in020502.log

A Daily file created on May 2, 2002 or a Weekly file created in the second week of May, 2002.

in020503.log

A Daily file created on May 3, 2002 or a Weekly file created in the third week of May, 2002.

in020504.log

A Daily file created on May 4, 2002 or a Weekly file created in the fourth week of May, 2002.

Notes

  • If the oldest log file is the log file that is currently in use, the log file is not deleted.

  • Because changing the log file change frequency might result in the overwriting of existing logs, you should copy logs to a separate file before making the change.

  • For more information about how to effectively configure and use log files, see IAS Best Practices and Configure log file properties.

Where log files are recorded

By default, log files are located in the systemroot\System32\LogFiles folder. You can specify a different location.

The log file directory can be created by using system environment variables (instead of user variables) such as, %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs\).

For information about how to set up the authentication and accounting logging service on an IAS server, see Configure Logging for User Authentication and Accounting.

For information about how to import a log file into a database, see Importing IAS log files into a database.

Log capture for other processes

To send log data directly to another process, you can configure IAS to write to a named pipe, instead of a file. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The named pipe server program should create a named pipe called \\.\pipe\iaslog.log to accept the data.

What the log file records contain

Attributes are recorded in UTF-8 encoding in a comma-delimited format. The format of the records in a log file depends on the file format.

In IAS-formatted log files, each record starts with a fixed-format header, which consists of the access server IP address, user name, record date, record time, service name, and computer name, followed by attribute-value pairs.

For more information about the attributes and other data logged in the IAS format, see IAS-Formatted Log Files.

In database-import log files, each record contains attribute values in a consistent sequence, including the computer name, service name, record date, and record time. An access server might not use all of the attributes specified in the database-import log format, but the comma-delimited location for each of these pre-defined attributes is maintained, even for attributes that have no value specified in a record.

For more information about the attributes and other data logged in the database-import log format, see Database-Import Log Files.

Note

  • This documentation contains logging information that is specific to IAS. The types of data that your access server sends might vary, depending upon the manufacturer. For information about the specific data that your access server sends and how to configure accounting packets, see your access server documentation.