<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">I have two questions. Please point me in the right direction if the answer is documented somewhere and I’ve missed it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">First some background.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am running Red Hat Enterprise Linux<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">2.6.32-279.11.1.el6.x86_64 #1 SMP Sat Sep 22 07:10:26 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><o:p> </o:p></p>
<p class="MsoNormal">Installed Package<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Name : freeradius<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Arch : x86_64<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Version : 2.1.12<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Release : 4.el6_3<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I would like to feed logs into a SIEM (ArcSight). Has anyone done it? Is the procedure documented anywhere? It looks like I just parse the syslog output and feed that into the SIEM but I’d like some advice from anyone who has done it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Second Question <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The current syslog output is not very verbose but when I run Radiusd in –X mode I see a ton of data. I’d like to log close to what the –X outputs to my syslog file. From what I’ve read there’s a module that will allow me to log that level
of detail but I’m not sure I’m 100% familiar with the module concept. Do I just <b>
$INCLUDE modulename </b>in the radius.conf file and then go into the module itself and make the configuration changes there?
<o:p></o:p></p>
<p class="MsoNormal">Ultimately I’d like my syslog file to show who tried to authenticate USERNAME, the IP address they initiated the auth request from USER’s IP, successful authentication or fail/reject.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks in advance.<b><span style="font-family:"Arial","sans-serif""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-family:"Arial","sans-serif"">Shawn L. Wiley, CISSP - Information and Application Security Architecture<o:p></o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<HR align=center SIZE=0 width="100%">
<span style="FONT-FAMILY: Arial; COLOR: grey; FONT-SIZE: 7.5pt">This message may contain confidential information and is intended for specific recipients unless explicitly noted otherwise. If you have reason to believe you are not an intended recipient of this message, please delete it and notify the sender. This message may not represent the opinion of Intercontinental Exchange, Inc. (ICE), Euronext or any of their subsidiaries or affiliates, and does not constitute a contract or guarantee. Unencrypted electronic mail is not secure and the recipient of this message is expected to provide safeguards from viruses and pursue alternate means of communication where privacy or a binding message is desired. </span>
<HR align=center SIZE=0 width="100%"></body>
</html>