Two questions SYSLOG (level of detail written and forwarding to a SIEM)

Shawn Wiley SWiley at nyx.com
Tue Oct 14 19:36:51 CEST 2014


I have two questions. Please point me in the right direction if the answer is documented somewhere and I've missed it.

First some background.

I am running Red Hat Enterprise Linux
2.6.32-279.11.1.el6.x86_64 #1 SMP Sat Sep 22 07:10:26 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux

Installed Package
Name        : freeradius
Arch        : x86_64
Version     : 2.1.12
Release     : 4.el6_3

I would like to feed logs into a SIEM (ArcSight). Has anyone done it? Is the procedure documented anywhere? It looks like I just parse the syslog output and feed that into the SIEM but I'd like some advice from anyone who has done it.

Second Question

The current syslog output is not very verbose but when I run Radiusd in -X mode I see a ton of data. I'd like to log close to what the -X outputs to my syslog file. From what I've read there's a module that will allow me to log that level of detail but I'm not sure I'm 100% familiar with the module concept. Do I just $INCLUDE modulename in the radius.conf file and then go into the module itself and make the configuration changes there?
Ultimately I'd like my syslog file to show who tried to authenticate USERNAME, the IP address they initiated the auth request from USER's IP, successful authentication or fail/reject.

Thanks in advance.

Shawn L. Wiley, CISSP - Information and Application Security Architecture

________________________________________________________

This message may contain confidential information and is intended for specific recipients unless explicitly noted otherwise. If you have reason to believe you are not an intended recipient of this message, please delete it and notify the sender. This message may not represent the opinion of Intercontinental Exchange, Inc. (ICE), Euronext or any of their subsidiaries or affiliates, and does not constitute a contract or guarantee. Unencrypted electronic mail is not secure and the recipient of this message is expected to provide safeguards from viruses and pursue alternate means of communication where privacy or a binding message is desired.
________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141014/d5db7b8a/attachment.html>


More information about the Freeradius-Users mailing list