FreeRADIUS
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. RADIUS accounting logs can be provided by many networking devices or by the open source Unix service called FreeRADIUS.
NXLog can be configured to process FreeRADIUS authentication and accounting logs. For processing RADIUSs NPS, see RADIUS NPS (xm_nps).
The configuration below uses the im_file module to read FreeRADIUS
authentication log entries and separate fields with regular expressions.
The result is converted to JSON after fields EventReceivedTime
,
SourceModuleName
, and SourceModuleType
are deleted from the $raw_event
.
<Input freeradius>
Module im_file
File '/tmp/input'
<Exec>
if $raw_event =~ /^(?<DateTime>\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}) : (?<EventType>\w+): (?<Message>.+)/
{
$raw_event = $DateTime + ' ' + $EventType + ' ' + $Message;
}
else drop();
</Exec>
</Input>
<Output out>
Module om_file
File '/tmp/output'
<Exec>
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
to_json();
</Exec>
</Output>
Below are the log samples before and after processing.
Thu Dec 20 07:50:44 2018 : Info: Loaded virtual server inner-tunnel
Thu Dec 20 07:50:44 2018 : Info: Ready to process requests
Thu Dec 20 07:50:46 2018 : Auth: (0) Login OK: [testing/testing123] (from client localhost port 0)
Thu Dec 20 07:50:46 2018 : Auth: (1) Login OK: [testing/testing123] (from client localhost port 0)
Thu Dec 20 07:50:47 2018 : Auth: (2) Login OK: [testing/testing123] (from client localhost port 0)
Thu Dec 20 07:50:49 2018 : Auth: (3) Login incorrect (pap: Cleartext password does not match "known good" password): [testing/testing] (from client localhost port 0)
{
"DateTime": "Thu Dec 20 07:50:44 2018",
"EventType": "Info",
"Message": "Loaded virtual server inner-tunnel"
}
{
"DateTime": "Thu Dec 20 07:50:44 2018",
"EventType": "Info",
"Message": "Ready to process requests"
}
{
"DateTime": "Thu Dec 20 07:50:46 2018",
"EventType": "Auth",
"Message": "(0) Login OK: [testing/testing123] (from client localhost port 0)"
}
{
"DateTime": "Thu Dec 20 07:50:46 2018",
"EventType": "Auth",
"Message": "(1) Login OK: [testing/testing123] (from client localhost port 0)"
}
{
"DateTime": "Thu Dec 20 07:50:47 2018",
"EventType": "Auth",
"Message": "(2) Login OK: [testing/testing123] (from client localhost port 0)"
}
{
"DateTime": "Thu Dec 20 07:50:49 2018",
"EventType": "Auth",
"Message": "(3) Login incorrect (pap: Cleartext password does not match \"known good\" password): [testing/testing] (from client localhost port 0)"
}
The configuration below utilizes the im_file module to read
FreeRADIUS accounting logs and the xm_multiline module to
match the start and end of a log entry. Each string is processed and converted
to key-value pairs using the xm_kvp and to JSON using the
xm_json modules. The EventReceivedTime
, SourceModuleName
,
and SourceModuleType
fields are deleted from the entry.
<Extension radius>
Module xm_multiline
HeaderLine /^\s\S\S\S\s+\S\S\S\s+\d{1,2}\s+\d{1,2}\:\d{1,2}\: \
\d{1,2}\s+\d{4}/
EndLine /^\s+Timestamp = \d*/
</Extension>
<Extension kvp>
Module xm_kvp
KVDelimiter =
KVPDelimiter \n
</Extension>
<Input in>
Module im_file
File "/tmp/input"
ReadFromLast FALSE
SavePos FALSE
InputType radius
<Exec>
if $raw_event =~ /^(.+)\s*([\s\S]+)/
{
$EventTime = parsedate($1);
kvp->parse_kvp($2);
$Timestamp = datetime(integer($Timestamp) * 1000000);
}
else log_info("no match for " + $raw_event);
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
</Exec>
</Input>
Below are the event samples before and after processing.
Tue May 21 00:00:03 2013
Acct-Session-Id = "1/3/0/3_00FA2701"
Framed-Protocol = PPP
Framed-IP-Address = 1.2.3.4
Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
User-Name = "user"
Acct-Authentic = RADIUS
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=1410065408"
Cisco-AVPair = "nas-rx-speed=1410065408"
Acct-Session-Time = 384
Acct-Input-Octets = 4497
Acct-Output-Octets = 7951
Acct-Input-Packets = 64
Acct-Output-Packets = 64
Acct-Terminate-Cause = User-Request
Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
Acct-Status-Type = Stop
NAS-Port-Type = Ethernet
NAS-Port = 402653187
NAS-Port-Id = "1/3/0/3"
Cisco-AVPair = "client-mac-address=fe00.5104.01ae"
Service-Type = Framed-User
NAS-IP-Address = 1.2.3.4
X-Ascend-Session-Svr-Key = "DCCE87A5"
Acct-Delay-Time = 0
Proxy-State = 0x313133
Proxy-State = 0x323339
Client-IP-Address = 1.2.3.4
Acct-Unique-Session-Id = "3ff5a50a3cea9cba"
Timestamp = 1369087203
{
"EventTime": "2013-05-21T00:00:03.000000+00:00",
"Acct-Session-Id": "1/3/0/3_00FA2701",
"Framed-Protocol": "PPP",
"Framed-IP-Address": "1.2.3.4",
"Cisco-AVPair": "client-mac-address=fe00.5104.01ae",
"User-Name": "user",
"Acct-Authentic": "RADIUS",
"Acct-Session-Time": 384,
"Acct-Input-Octets": 4497,
"Acct-Output-Octets": 7951,
"Acct-Input-Packets": 64,
"Acct-Output-Packets": 64,
"Acct-Terminate-Cause": "User-Request",
"Acct-Status-Type": "Stop",
"NAS-Port-Type": "Ethernet",
"NAS-Port": 402653187,
"NAS-Port-Id": "1/3/0/3",
"Service-Type": "Framed-User",
"NAS-IP-Address": "1.2.3.4",
"X-Ascend-Session-Svr-Key": "DCCE87A5",
"Acct-Delay-Time": 0,
"Proxy-State": 3289913,
"Client-IP-Address": "1.2.3.4",
"Acct-Unique-Session-Id": "3ff5a50a3cea9cba",
"Timestamp": "2013-05-20T22:00:03.000000+00:00"
}