Reporting
You are often asked when the last time or location a user logged in. You can get that from the RADIUS logfile, or from implementing something like the ElasticStack.
Local Log
You can create a quick script to check for user IDs and MAC addresses in the local log files.
vi search-netid
#!/bin/bash
[ $1 ] || { echo "enter search user ID"; exit 1;}
ID=$1
echo "Recent Logins: "
grep ") Login OK" /var/log/freeradius/radius.log /var/log/freeradius/radius.log.1 | grep $ID | sed 's/.*cli \(.*\)).*/\1/' | sort | uniq | tr '-' ':'| tr '[:upper:]' '[:lower:]'
echo
echo "Older Logins: "
zgrep ") Login OK" /var/log/freeradius/radius.log*.gz | grep $ID | sed 's/.*cli \(.*\)).*/\1/' | sort | uniq | tr '-' ':'| tr '[:upper:]' '[:lower:]'
Elastic Integration
Update as needed for modern versions of Elastic.
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-amd64.deb
sudo apt install ./filebeat-7.6.2-amd64.deb
sudo vi /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
paths:
- /var/log/freeradius/radius.log
include_lines: ['\) Login OK','incorrect']
tags: ["radius"]
processors:
- drop_event:
when:
contains:
message: "previously"
- if:
contains:
message: "Login OK"
then:
- dissect:
tokenizer: "%{key1} [%{source.user.id}/%{key3}cli %{source.mac})"
target_prefix: ""
- drop_fields:
fields: ["key1","key3"]
- script:
lang: javascript
source: >
function process(event) {
var mac = event.Get("source.mac");
if(mac != null) {
mac = mac.toLowerCase();
mac = mac.replace(/-/g,":");
event.Put("source.mac", mac);
}
}
else:
- dissect:
tokenizer: "%{key1} [%{source.user.id}/<via %{key3}"
target_prefix: ""
- drop_fields:
fields: ["key1","key3"]
output.elasticsearch:
hosts: ["http://some.server:9200"]
allow_older_versions: true
setup.ilm.enabled: false
#output.file:
#path: "/tmp/filebeat"
#filename: filebeat
#rotate_every_kb: 10000
#number_of_files: 7
#permissions: 0600
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.