<div dir="ltr">I like this, very simple. Please ensure that this ends up in goodies.<div><br></div><div>Thanks,</div><div>Barry</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 5, 2016 at 5:47 AM, Heikki Vatiainen <span dir="ltr"><<a href="mailto:hvn@open.com.au" target="_blank">hvn@open.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2.2.2016 13.14, Karl Gaissmaier wrote:<br>
<br>
> yes, like heka <a href="http://hekad.readthedocs.org" rel="noreferrer" target="_blank">http://hekad.readthedocs.org</a> as forwarding agent and/or<br>
> anomaly processor.<br>
<br>
Interesting, thanks for sharing this.<br>
<br>
> Heka has also a sandboxed Lua interpreter to decode unusual log formats,<br>
> maybe I'll not implement the hook in RADIATOR.<br>
><br>
> Maybe it's really enough to create normal logs and use heka (or similar<br>
> tools)<br>
> to process anomaly detection and forward it to graphite/influxdb.<br>
<br>
Meanwhile, I did a basic Influxdb and Grafana installation to test it a<br>
little. Below is a simple AuthLog FILE format hook that creates an entry<br>
in Influxdb line protocol format and sends it before logging it to a<br>
file. It simply removes some of the characters that need to be quoted in<br>
the line protocol format and creates a new socket for each call. It's<br>
very primitive but, it will do basic logging and is a quick way to<br>
experiment and get something stored in Influxdb and visible in Grafana.<br>
<br>
The entry that gets logged in authlog file is useful to see how the line<br>
that was sent to Influxdb was formatted.<br>
<br>
# AuthLog in InfluxDB format<br>
sub<br>
{<br>
my ($s, $reason, $p) = @_;<br>
<br>
my $ap = $p->get_attr('NAS-Identifier');<br>
my $client_mac = $p->get_attr('Calling-Station-Id');<br>
my $username = $p->get_attr('User-Name');<br>
<br>
my ($sec, $usec) = Radius::Util::getTimeHires();<br>
my $influxtime = "$sec$usec"."000";<br>
<br>
# Strip space, \ and "<br>
# See Influxdb docs for what/how to quote<br>
$username =~ s/[ \\"]//g;<br>
$reason =~ s/[ \\"]//g;<br>
<br>
my $dp; # InfluxDB line protocol data point<br>
if ($s == $main::ACCEPT)<br>
{<br>
my $key =<br>
"radius,type=accept,ap=$ap,special=$username,special_type=username";<br>
<br>
my $fields = "value=\"$username\"";<br>
$dp = "$key $fields $influxtime";<br>
}<br>
elsif ($s == $main::REJECT)<br>
{<br>
my $key =<br>
"radius,type=rejected,ap=$ap,special=$reason,special_type=reason";<br>
<br>
my $fields = "value=\"$username\",special_val=\"$reason\"";<br>
$dp = "$key $fields $influxtime";<br>
}<br>
<br>
use IO::Socket::INET;<br>
my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',<br>
PeerPort => '8090',<br>
Proto => 'udp');<br>
$socket->send($dp . "\n");<br>
return $dp;<br>
}<br>
<br>
Here's the config I used.<br>
<br>
Foreground<br>
LogStdout<br>
LogDir .<br>
DbDir .<br>
Trace 4<br>
<br>
<Client DEFAULT><br>
Secret mysecret<br>
</Client><br>
<br>
<AuthLog FILE><br>
Identifier myauthlogger-influxdb<br>
Filename %L/authlog-influx.txt<br>
LogFormatHook file:"%D/<a href="http://format-influx.pl" rel="noreferrer" target="_blank">format-influx.pl</a>"<br>
LogSuccess 1<br>
LogFailure 1<br>
</AuthLog><br>
<br>
<Handler><br>
<AuthBy FILE><br>
Filename %D/users<br>
</AuthBy><br>
<br>
AuthLog myauthlogger-influxdb<br>
</Handler><br>
<br>
<br>
--<br>
Heikki Vatiainen <<a href="mailto:hvn@open.com.au">hvn@open.com.au</a>><br>
<br>
Radiator: the most portable, flexible and configurable RADIUS server<br>
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,<br>
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,<br>
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,<br>
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,<br>
NetWare etc.<br>
_______________________________________________<br>
radiator mailing list<br>
<a href="mailto:radiator@open.com.au">radiator@open.com.au</a><br>
<a href="http://www.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">http://www.open.com.au/mailman/listinfo/radiator</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><br>Barry Ard <a href="mailto:barry.ard@ualberta.ca" target="_blank">barry.ard@ualberta.ca</a><br><div>IST<br>University of Alberta<br>Edmonton, Alberta Canada</div></div></div>
</div>