[unisog] Parsing Radius Logs
gadsden at musc.edu
Thu Apr 14 17:18:05 GMT 2005
On Thu, 14 Apr 2005, David Bowie wrote:
> I'd like to tap the collective wisdom regarding RADIUS while folks are still
> thinking about implementation.
> Are there any free/good tools for parsing RADIUS logs with the goal of
> identifying a specific user when provided an IP, date and time?
> Traditionally, this has been a manual effort.
Like Peter, I wrote a perl script for parsing our logs, which are read
from our RADIUS accounting database using perl's DBI interface. Our
accounting records are generated by a Radiator server, following the
accounting standards defined in RFC 2866 and friends.
This script weighs in at a rather hefty 296 lines, but it's fairly feature
rich. A usage statement is attached. The script does (IP,date,time)->user
translations (2nd example), but it does other interesting things too, such
as report all dial-up sessions for a particular user in the past few days
(1st example), show all current vpn sessions (3rd example), etc.
It should be relatively straightforward to adapt this perl script to any
RADIUS logs that follow RFC 2866. Let me know if interested...
--- o ---
Chief Information Security Officer
Medical University of South Carolina
-------------- next part --------------
Usage: radius-audit.pl [OPTION]...
Description: Audit RADIUS server log database
-v verbose, report session statistics (octets and packets in/out)
-m impute Stop TIME_STAMP from Stop TIME_STAMP and ACCESSSIONTIME if Start record missing
-d CONFIG read dbi params from CONFIG file (default is /usr/local/etc/radius-accounting.conf)
-u USER filter on USERNAME field
-c CONNTYPE filter on CONNTYPE field (ppp,vpn,wlan)
-n NASIP filter on NASIPADDRESS field (probably useful only in wlan context)
-i FRAMEDIP filter on FRAMEDIPADDRESS field (local IP address assigned to client by NAS device)
-s STATION filter on CALLINGSTATIONID field (Caller ID)
-e CLIENTIP filter on TUNNELCLIENTENDPOINT field (tunneled IP address of remote vpn client)
Time-range and point-in-time filter options (use no more than one of these at a time):
-D NDAYS report only on any log records created since midnight NDAYS days ago
-T TIME match only session(s) that were active at TIME (any reasonable date/time format)
radius-audit.pl -m -u gadsden -c ppp -D7
radius-audit.pl -i 18.104.22.168 -T'21 Oct 03 20:15:51'
radius-audit.pl -c vpn -T'now'
More information about the unisog