[unisog] Parsing Radius Logs

Richard Gadsden gadsden at musc.edu
Thu Apr 14 17:18:05 GMT 2005

On Thu, 14 Apr 2005, David Bowie wrote:

> I'd like to tap the collective wisdom regarding RADIUS while folks are still 
> thinking about implementation.
> Are there any free/good tools for parsing RADIUS logs with the goal of 
> identifying a specific user when provided an IP, date and time? 
> Traditionally, this has been a manual effort.

Like Peter, I wrote a perl script for parsing our logs, which are read 
from our RADIUS accounting database using perl's DBI interface. Our 
accounting records are generated by a Radiator[1] server, following the 
accounting standards defined in RFC 2866 and friends.

This script weighs in at a rather hefty 296 lines, but it's fairly feature 
rich. A usage statement is attached. The script does (IP,date,time)->user 
translations (2nd example), but it does other interesting things too, such 
as report all dial-up sessions for a particular user in the past few days 
(1st example), show all current vpn sessions (3rd example), etc.

It should be relatively straightforward to adapt this perl script to any 
RADIUS logs that follow RFC 2866. Let me know if interested...

  --- o ---
  Richard Gadsden
  Chief Information Security Officer
  Medical University of South Carolina

[1] <http://www.open.com.au/radiator/technical.html>
-------------- next part --------------
Usage: radius-audit.pl [OPTION]...
Description: Audit RADIUS server log database
  -v           verbose, report session statistics (octets and packets in/out)
  -m           impute Stop TIME_STAMP from Stop TIME_STAMP and ACCESSSIONTIME if Start record missing
  -d CONFIG    read dbi params from CONFIG file (default is /usr/local/etc/radius-accounting.conf)
  -u USER      filter on USERNAME field
  -c CONNTYPE  filter on CONNTYPE field (ppp,vpn,wlan)
  -n NASIP     filter on NASIPADDRESS field (probably useful only in wlan context)
  -i FRAMEDIP  filter on FRAMEDIPADDRESS field (local IP address assigned to client by NAS device)
  -s STATION   filter on CALLINGSTATIONID field (Caller ID)
  -e CLIENTIP  filter on TUNNELCLIENTENDPOINT field (tunneled IP address of remote vpn client)

  Time-range and point-in-time filter options (use no more than one of these at a time):

  -D NDAYS     report only on any log records created since midnight NDAYS days ago
  -T TIME      match only session(s) that were active at TIME (any reasonable date/time format)

  radius-audit.pl -m -u gadsden -c ppp -D7
  radius-audit.pl -i -T'21 Oct 03 20:15:51'
  radius-audit.pl -c vpn -T'now'

More information about the unisog mailing list