FreeRADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. RADIUS accounting logs can be provided by many networking devices or by the open source Unix service called FreeRADIUS.

NXLog can be configured to process FreeRADIUS authentication and accounting logs. For processing RADIUSs NPS, see RADIUS NPS (xm_nps).

Example 1. Processing FreeRADIUS Authentication Logs With Regular Expressions

The configuration below uses the im_file module to read FreeRADIUS authentication log entries and separate fields with regular expressions. The result is converted to JSON after fields EventReceivedTime, SourceModuleName, and SourceModuleType are deleted from the $raw_event.

nxlog.conf
<Input freeradius>
    Module     im_file
    File       '/tmp/input'
    <Exec>
        if $raw_event =~ /^(?<DateTime>\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}) : (?<EventType>\w+): (?<Message>.+)/
        {
            $raw_event = $DateTime + ' ' + $EventType + ' ' + $Message;
        }
        else drop();
    </Exec>
</Input>

<Output out>
    Module     om_file
    File       '/tmp/output'
    <Exec>
        delete($EventReceivedTime);
        delete($SourceModuleName);
        delete($SourceModuleType);
        to_json();
    </Exec>
</Output>

Below are the log samples before and after processing.

Event Sample
Thu Dec 20 07:50:44 2018 : Info: Loaded virtual server inner-tunnel
Thu Dec 20 07:50:44 2018 : Info: Ready to process requests
Thu Dec 20 07:50:46 2018 : Auth: (0) Login OK: [testing/testing123] (from client localhost port 0)
Thu Dec 20 07:50:46 2018 : Auth: (1) Login OK: [testing/testing123] (from client localhost port 0)
Thu Dec 20 07:50:47 2018 : Auth: (2) Login OK: [testing/testing123] (from client localhost port 0)
Thu Dec 20 07:50:49 2018 : Auth: (3) Login incorrect (pap: Cleartext password does not match "known good" password): [testing/testing] (from client localhost port 0)
Output Sample
{
  "DateTime": "Thu Dec 20 07:50:44 2018",
  "EventType": "Info",
  "Message": "Loaded virtual server inner-tunnel"
}
{
  "DateTime": "Thu Dec 20 07:50:44 2018",
  "EventType": "Info",
  "Message": "Ready to process requests"
}
{
  "DateTime": "Thu Dec 20 07:50:46 2018",
  "EventType": "Auth",
  "Message": "(0) Login OK: [testing/testing123] (from client localhost port 0)"
}
{
  "DateTime": "Thu Dec 20 07:50:46 2018",
  "EventType": "Auth",
  "Message": "(1) Login OK: [testing/testing123] (from client localhost port 0)"
}
{
  "DateTime": "Thu Dec 20 07:50:47 2018",
  "EventType": "Auth",
  "Message": "(2) Login OK: [testing/testing123] (from client localhost port 0)"
}
{
  "DateTime": "Thu Dec 20 07:50:49 2018",
  "EventType": "Auth",
  "Message": "(3) Login incorrect (pap: Cleartext password does not match \"known good\" password): [testing/testing] (from client localhost port 0)"
}
Example 2. Processing FreeRADIUS Accounting Logs

The configuration below utilizes the im_file module to read FreeRADIUS accounting logs and the xm_multiline module to match the start and end of a log entry. Each string is processed and converted to key-value pairs using the xm_kvp and to JSON using the xm_json modules. The EventReceivedTime, SourceModuleName, and SourceModuleType fields are deleted from the entry.

nxlog.conf
<Extension radius>
    Module          xm_multiline
    HeaderLine	    /^\s\S\S\S\s+\S\S\S\s+\d{1,2}\s+\d{1,2}\:\d{1,2}\: \
                     \d{1,2}\s+\d{4}/
    EndLine         /^\s+Timestamp = \d*/
</Extension>

<Extension kvp>
    Module          xm_kvp
    KVDelimiter     =
    KVPDelimiter    \n
</Extension>

<Input in>
    Module          im_file
    File            "/tmp/input"
    ReadFromLast    FALSE
    SavePos         FALSE
    InputType       radius
    <Exec>
        if $raw_event =~ /^(.+)\s*([\s\S]+)/
        {
            $EventTime = parsedate($1);
            kvp->parse_kvp($2);
            $Timestamp = datetime(integer($Timestamp) * 1000000);
        }
        else log_info("no match for " + $raw_event);
        delete($EventReceivedTime);
        delete($SourceModuleName);
        delete($SourceModuleType);
    </Exec>

</Input>

Below are the event samples before and after processing.

Event Sample
 Tue May 21 00:00:03 2013
            Acct-Session-Id = "1/3/0/3_00FA2701"
            Framed-Protocol = PPP
            Framed-IP-Address = 1.2.3.4
            Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
            User-Name = "user"
            Acct-Authentic = RADIUS
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Cisco-AVPair = "nas-tx-speed=1410065408"
            Cisco-AVPair = "nas-rx-speed=1410065408"
            Acct-Session-Time = 384
            Acct-Input-Octets = 4497
            Acct-Output-Octets = 7951
            Acct-Input-Packets = 64
            Acct-Output-Packets = 64
            Acct-Terminate-Cause = User-Request
            Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
            Acct-Status-Type = Stop
            NAS-Port-Type = Ethernet
            NAS-Port = 402653187
            NAS-Port-Id = "1/3/0/3"
            Cisco-AVPair = "client-mac-address=fe00.5104.01ae"
            Service-Type = Framed-User
            NAS-IP-Address = 1.2.3.4
            X-Ascend-Session-Svr-Key = "DCCE87A5"
            Acct-Delay-Time = 0
            Proxy-State = 0x313133
            Proxy-State = 0x323339
            Client-IP-Address = 1.2.3.4
            Acct-Unique-Session-Id = "3ff5a50a3cea9cba"
            Timestamp = 1369087203
Output Sample
{
  "EventTime": "2013-05-21T00:00:03.000000+00:00",
  "Acct-Session-Id": "1/3/0/3_00FA2701",
  "Framed-Protocol": "PPP",
  "Framed-IP-Address": "1.2.3.4",
  "Cisco-AVPair": "client-mac-address=fe00.5104.01ae",
  "User-Name": "user",
  "Acct-Authentic": "RADIUS",
  "Acct-Session-Time": 384,
  "Acct-Input-Octets": 4497,
  "Acct-Output-Octets": 7951,
  "Acct-Input-Packets": 64,
  "Acct-Output-Packets": 64,
  "Acct-Terminate-Cause": "User-Request",
  "Acct-Status-Type": "Stop",
  "NAS-Port-Type": "Ethernet",
  "NAS-Port": 402653187,
  "NAS-Port-Id": "1/3/0/3",
  "Service-Type": "Framed-User",
  "NAS-IP-Address": "1.2.3.4",
  "X-Ascend-Session-Svr-Key": "DCCE87A5",
  "Acct-Delay-Time": 0,
  "Proxy-State": 3289913,
  "Client-IP-Address": "1.2.3.4",
  "Acct-Unique-Session-Id": "3ff5a50a3cea9cba",
  "Timestamp": "2013-05-20T22:00:03.000000+00:00"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 28 May 2020