[unisog] Parsing Radius Logs

Chris Crowley ccrowley at tulane.edu
Thu Apr 14 18:34:05 GMT 2005


Richard -

I would like a copy of this script if you are willing to share it.

Thank you in advance.

Chris Crowley

Richard Gadsden wrote:
> On Thu, 14 Apr 2005, David Bowie wrote:
> 
>> I'd like to tap the collective wisdom regarding RADIUS while folks are
>> still thinking about implementation.
>>
>> Are there any free/good tools for parsing RADIUS logs with the goal of
>> identifying a specific user when provided an IP, date and time?
>> Traditionally, this has been a manual effort.
> 
> 
> Like Peter, I wrote a perl script for parsing our logs, which are read
> from our RADIUS accounting database using perl's DBI interface. Our
> accounting records are generated by a Radiator[1] server, following the
> accounting standards defined in RFC 2866 and friends.
> 
> This script weighs in at a rather hefty 296 lines, but it's fairly
> feature rich. A usage statement is attached. The script does
> (IP,date,time)->user translations (2nd example), but it does other
> interesting things too, such as report all dial-up sessions for a
> particular user in the past few days (1st example), show all current vpn
> sessions (3rd example), etc.
> 
> It should be relatively straightforward to adapt this perl script to any
> RADIUS logs that follow RFC 2866. Let me know if interested...
> 
>  --- o ---
>  Richard Gadsden
>  Chief Information Security Officer
>  Medical University of South Carolina
> 
> [1] <http://www.open.com.au/radiator/technical.html>
> 
> 
> ------------------------------------------------------------------------
> 
> Usage: radius-audit.pl [OPTION]...
> Description: Audit RADIUS server log database
> Options:
>   -v           verbose, report session statistics (octets and packets in/out)
>   -m           impute Stop TIME_STAMP from Stop TIME_STAMP and ACCESSSIONTIME if Start record missing
>   -d CONFIG    read dbi params from CONFIG file (default is /usr/local/etc/radius-accounting.conf)
>   -u USER      filter on USERNAME field
>   -c CONNTYPE  filter on CONNTYPE field (ppp,vpn,wlan)
>   -n NASIP     filter on NASIPADDRESS field (probably useful only in wlan context)
>   -i FRAMEDIP  filter on FRAMEDIPADDRESS field (local IP address assigned to client by NAS device)
>   -s STATION   filter on CALLINGSTATIONID field (Caller ID)
>   -e CLIENTIP  filter on TUNNELCLIENTENDPOINT field (tunneled IP address of remote vpn client)
> 
>   Time-range and point-in-time filter options (use no more than one of these at a time):
> 
>   -D NDAYS     report only on any log records created since midnight NDAYS days ago
>   -T TIME      match only session(s) that were active at TIME (any reasonable date/time format)
> 
> Examples:
>   radius-audit.pl -m -u gadsden -c ppp -D7
>   radius-audit.pl -i 128.23.10.99 -T'21 Oct 03 20:15:51'
>   radius-audit.pl -c vpn -T'now'
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
Christopher Crowley
ccrowley at tulane.edu
(504) 314-2535
Network Administrator
Technology Services
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ccrowley.vcf
Type: text/x-vcard
Size: 158 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050414/abfb8094/ccrowley.vcf


More information about the unisog mailing list