Skip to content

jothoma1/graylog-contentpack-freeradius

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Freeradius 3 Accounting Content Pack for Graylog (https://www.graylog.org/)

Tested with nxLog/freeradius3/Graylog 2

This content pack provides useful dashboard for auditing freeradius accounting :

  • Access from last week
  • Top hourly accounting users
  • Top hourly callingstation
  • Start/Stop/Interim-Update
  • VLAN
  • NAS

Includes

  • Freeradius 3 linelog accounting configuration (in order to format log in JSON)
  • NXLog configuration (change with your graylog server or LB)
  • Stream (dont forget to change MyRadiusServer with your host)
  • Dashboard

Requirements

  • Freeradius 3 with linelog accounting
  • NXLog collecting freeradius logs, other log collectors will work but may require modifying the searches to match the different fields outputted by other collectors

/etc/raddb/mods-enabled/linelog Example

linelog log_accounting {
        filename = ${logdir}/linelog-accounting
        permissions = 0655
        reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
        Accounting-Request {
Start = "{\"RadacctStatusType\":\"Start\",\"RadacctNASIP\":\"%{NAS-IP-Address}\",\"RadacctUser\":\"%{User-Name}\",\"RadacctSessionId\":\"%{Acct-Session-Id}\",\"RadacctFramedIP\":\"%{Framed-IP-Address}\",\"RadacctNASId\":\"%{NAS-Identifier}\",\"RadacctCiscoAVPair\":\"%{Cisco-AVPair}\",\"RadacctVLAN\":\"%{Tunnel-Private-Group-Id:0}\",\"RadacctTunnelType\":\"%{Tunnel-Type:0}\",\"RadacctMediumType\":\"%{Tunnel-Medium-Type:0}\",\"RadacctCallingStationId\":\"%{Calling-Station-Id}\",\"RadacctCalledStationId\":\"%{Called-Station-Id}\",\"RadacctEventTimestamp\":\"%{Event-Timestamp}\",\"RadacctUniqueSessionId\":\"%{Acct-Unique-Session-Id}\",\"RadacctStrippedUserName\":\"%{Stripped-User-Name}\",\"RadacctRealm\":\"%{Realm}\"}"

Stop = "{\"RadacctStatusType\":\"Stop\",\"RadacctNASIP\":\"%{NAS-IP-Address}\",\"RadacctUser\":\"%{User-Name}\",\"RadacctSessionId\":\"%{Acct-Session-Id}\",\"RadacctFramedIP\":\"%{Framed-IP-Address}\",\"RadacctNASId\":\"%{NAS-Identifier}\",\"RadacctCiscoAVPair\":\"%{Cisco-AVPair}\",\"RadacctVLAN\":\"%{Tunnel-Private-Group-Id:0}\",\"RadacctTunnelType\":\"%{Tunnel-Type:0}\",\"RadacctMediumType\":\"%{Tunnel-Medium-Type:0}\",\"RadacctInputOctets\":\"%{Acct-Input-Octets}\",\"RadacctOutputOctets\":\"%{Acct-Output-Octets}\",\"RadacctInputPackets\":\"%{Acct-Input-Packets}\",\"RadacctOutputPackets\":\"%{Acct-Output-Packets}\",\"RadacctTerminateCause\":\"%{Acct-Terminate-Cause}\",\"RadacctSessionTime\":\"%{Acct-Session-Time}\",\"RadacctDelayTime\":\"%{Acct-Delay-Time}\",\"RadacctCallingStationId\":\"%{Calling-Station-Id}\",\"RadacctCalledStationId\":\"%{Called-Station-Id}\",\"RadacctEventTimestamp\":\"%{Event-Timestamp}\",\"RadacctUniqueSessionId\":\"%{Acct-Unique-Session-Id}\",\"RadacctStrippedUserName\":\"%{Stripped-User-Name}\",\"RadacctRealm\":\"%{Realm}\"}"

Interim-Update = "{\"RadacctStatusType\":\"Interim-Update\",\"RadacctNASIP\":\"%{NAS-IP-Address}\",\"RadacctUser\":\"%{User-Name}\",\"RadacctSessionId\":\"%{Acct-Session-Id}\",\"RadacctFramedIP\":\"%{Framed-IP-Address}\",\"RadacctNASId\":\"%{NAS-Identifier}\",\"RadacctCiscoAVPair\":\"%{Cisco-AVPair}\",\"RadacctVLAN\":\"%{Tunnel-Private-Group-Id:0}\",\"RadacctTunnelType\":\"%{Tunnel-Type:0}\",\"RadacctMediumType\":\"%{Tunnel-Medium-Type:0}\",\"RadacctInputOctets\":\"%{Acct-Input-Octets}\",\"RadacctOutputOctets\":\"%{Acct-Output-Octets}\",\"RadacctInputPackets\":\"%{Acct-Input-Packets}\",\"RadacctOutputPackets\":\"%{Acct-Output-Packets}\",\"RadacctSessionTime\":\"%{Acct-Session-Time}\",\"RadacctDelayTime\":\"%{Acct-Delay-Time}\",\"RadacctCallingStationId\":\"%{Calling-Station-Id}\",\"RadacctCalledStationId\":\"%{Called-Station-Id}\",\"RadacctEventTimestamp\":\"%{Event-Timestamp}\",\"RadacctUniqueSessionId\":\"%{Acct-Unique-Session-Id}\",\"RadacctStrippedUserName\":\"%{Stripped-User-Name}\",\"RadacctRealm\":\"%{Realm}\"}"

                #  Don't log anything for these packets.
                Alive = ""

                Accounting-On = "NAS %{Packet-Src-IP-Address} (%{NAS-IP-Address}) just came online"
                Accounting-Off = "NAS %{Packet-Src-IP-Address} (%{NAS-IP-Address}) just went offline"

                # don't log anything for other Acct-Status-Types.
                unknown = "NAS %{Packet-Src-IP-Address} (%{NAS-IP-Address}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
        }
}

NXLog Example

########################################
# Global directives                    #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel WARNING

########################################
# Modules                              #
########################################
<Extension gelf>
    Module      xm_gelf
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Input in1>
    Module      im_file
    File        '/var/log/radius/linelog-accounting'
    SavePos TRUE
    ReadFromLast TRUE
    Exec        parse_json();
</Input>

<Output out1>
    Module      om_tcp
    Host        graylog.server.com
    Port        12201
    OutputType  GELF_TCP
</Output>

########################################
# Routes                               #
########################################
<Route 1>
    Path        in1 => out1
</Route>

Screenshots

Screenshot

About

Graylog content pack for freeradius 3 (accounting)

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published