auth and detail logs into json format?

cedric delaunay cedric.delaunay at univ-rennes1.fr
Tue Apr 24 10:03:03 CEST 2018


Hi,
Here is how we did on our server :

enabled rest module (for jsonquote) with all options disabled
enabled linelog module with specific submodule by request type :
ex :

linelog {
...
# logging in a uniq file
         filename = ${logdir}/linelog
...
linelog linelog_postauth {
     format = "%t linelog_postauth \%{Packet-Type} non reconnu for %{jsonquote:%{User-Name}} (%{Packet-Type})"
     filename = ${logdir}/linelog_json
     permissions = 0604
     #reference = "%{%{Packet-Type}:-format}"
     reference = "messages.%{%{reply:Packet-Type}:-format}"
         messages {
#Original #         Access-Reject = "%t log_postauth %{reply:Packet-Type} for %{User-Name} Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}"
Access-Reject = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"requestID\":\"%n\",\"User-Name\":\"%{jsonquote:%{User-Name}}\",\"Realm\":\"%{Realm}\",\"Reject-Cause\":\"%{jsonquote:%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\"}"

#Original           Access-Challenge = "%t log_postauth Sent challenge: %{User-Name} Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}"
Access-Challenge = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"requestID\":\"%n\",\"User-Name\":\"%{jsonquote:%{User-Name}}\",\"Realm\":\"%{Realm}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-Protocol\":\"%{Framed-Protocol}\",\"Framed-IP-Address\":\"%{Framed-IP-Address}\",\"Framed-IP-Netmask\":\"%{Framed-IP-Netmask}\",\"Framed-Routing\":\"%{Framed-Routing}\",\"Filter-Id\":\"%{Filter-Id}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"Framed-Compression\":\"%{Framed-Compression}\",\"Login-IP-Host\":\"%{Login-IP-Host}\",\"Login-Service\":\"%{Login-Service}\",\"Login-TCP-Port\":\"%{Login-TCP-Port}\",\"Reply-Message\":\"%{Reply-Message}\",\"Callback-Number\":\"%{Callback-Number}\",\"Callback-Id\":\"%{Callback-Id}\",\"Framed-Route\":\"%{Framed-Route}\",\"Framed-IPX-Network\":\"%{Framed-IPX-Network}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\"}"
  }
...
}

linelog log_accounting {
...
     Accounting-Request {
          Start = "{\"Datetime\":\"%t\",\"Module_Name\":\"log_accounting\",\"Packet-Type\":\"Accounting-start\",\"Acct-Status-Type\":\"%{Acct-Status-Type}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"User-Name\":\"%{jsonquote:%{User-Name}}\",\"Acct-Session-Id\":\"%{Acct-Session-Id}\",\"Framed-IP-Address\":\"%{Framed-IP-Address}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Cisco-AVPair\":\"%{Cisco-AVPair}\",\"VLAN\":\"%{Tunnel-Private-Group-Id:0}\",\"Tunnel-Type\":\"%{Tunnel-Type:0}\",\"Tunnel-Medium-Type\":\"%{Tunnel-Medium-Type:0}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Event-Timestamp\":\"%{Event-Timestamp}\",\"Acct-Unique-Session-Id\":\"%{Acct-Unique-Session-Id}\",\"Stripped-User-Name\":\"%{Stripped-User-Name}\",\"Realm\":\"%{Realm}\"}"

                                 Stop = "{\"Datetime\":\"%t\",\"Module_Name\":\"log_accounting\",\"Packet-Type\":\"Accounting-stop\",\"Acct-Status-Type\":\"%{Acct-Status-Type}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"User-Name\":\"%{jsonquote:%{User-Name}}\",\"Acct-Session-Id\":\"%{Acct-Session-Id}\",\"Framed-IP-Address\":\"%{Framed-IP-Address}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Cisco-AVPair\":\"%{Cisco-AVPair}\",\"VLAN\":\"%{Tunnel-Private-Group-Id:0}\",\"Tunnel-Type\":\"%{Tunnel-Type:0}\",\"Tunnel-Medium-Type\":\"%{Tunnel-Medium-Type:0}\",\"Acct-Input-Octets\":\"%{Acct-Input-Octets}\",\"Acct-Output-Octets\":\"%{Acct-Output-Octets}\",\"Acct-Input-Packets\":\"%{Acct-Input-Packets}\",\"Acct-Output-Packets\":\"%{Acct-Output-Packets}\",\"Acct-Terminate-Cause\":\"%{Acct-Terminate-Cause}\",\"Acct-Session-Time\":\"%{Acct-Session-Time}\",\"Acct-Delay-Time\":\"%{Acct-Delay-Time}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Event-Timestamp\":\"%{Event-Timestamp}\",\"Acct-Unique-Session-Id\":\"%{Acct-Unique-Session-Id}\",\"Stripped-User-Name\":\"%{Stripped-User-Name}\",\"Realm\":\"%{Realm}\"}"

                                 Interim-Update = "{\"Datetime\":\"%t\",\"Module_Name\":\"log_accounting\",\"Packet-Type\":\"Accounting-update\",\"Acct-Status-Type\":\"%{Acct-Status-Type}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"User-Name\":\"%{jsonquote:%{User-Name}}\",\"Acct-Session-Id\":\"%{Acct-Session-Id}\",\"Framed-IP-Address\":\"%{Framed-IP-Address}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Cisco-AVPair\":\"%{Cisco-AVPair}\",\"VLAN\":\"%{Tunnel-Private-Group-Id:0}\",\"Tunnel-Type\":\"%{Tunnel-Type:0}\",\"Tunnel-Medium-Type\":\"%{Tunnel-Medium-Type:0}\",\"Acct-Input-Octets\":\"%{Acct-Input-Octets}\",\"Acct-Output-Octets\":\"%{Acct-Output-Octets}\",\"Acct-Input-Packets\":\"%{Acct-Input-Packets}\",\"Acct-Output-Packets\":\"%{Acct-Output-Packets}\",\"Acct-Session-Time\":\"%{Acct-Session-Time}\",\"Acct-Delay-Time\":\"%{Acct-Delay-Time}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Event-Timestamp\":\"%{Event-Timestamp}\",\"Acct-Unique-Session-Id\":\"%{Acct-Unique-Session-Id}\",\"Stripped-User-Name\":\"%{Stripped-User-Name}\",\"Realm\":\"%{Realm}\"}"
        }
}


Calling linelog modules in site conf

post-auth {
	...
	linelog_postauth
	...
}

accounting {
	...
	log_accounting
	...
}


Use nxlog to send logs to graylog/elasticsearch server

/etc/nxlog.conf
<Extension gelf>
     Module      xm_gelf
</Extension>

<Extension json>
     Module      xm_json
</Extension>

<Input linelog_json>
     Module      im_file
     File        '/var/log/radius/linelog_json'
     SavePos TRUE
     ReadFromLast TRUE
     Exec        parse_json();
</Input>

<Output out1>
     Module      om_tcp
     Host        1.2.3.4
     Port        12201
     OutputType  GELF_TCP
</Output>

Maybe not the best way to do but that do the job
That's it ;)
Cédric






Le 24/04/2018 à 08:03, Arran Cudbard-Bell a écrit :
>
>> On Apr 24, 2018, at 12:48 PM, J E H A N Z A I B <jehanzaib.kiani at gmail.com> wrote:
>>
>> Hi folks,
>>
>> Is there anyway i can get auth-detail , linelog and detail logs into json
>> instead of plain text ?
> You can write your linelog formats as json as use %{jsonquote:} to escape any special chars in the values.
>
> You will need the rlm_rest module loaded in order to get access to the jsonquote xlat expansion.
>
> -Arran
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Cédric Delaunay			Direction des Systèmes d'Informations
Equipe Réseau & Telephonie	263, Avenue du Général Leclerc
Tel: 02 23 23 71 59		CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3610 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180424/a9daf068/attachment.bin>


More information about the Freeradius-Users mailing list