Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

How to collect RADIUS Accounting messages over UDP?
Is there a combination of inputs and extensions that can be used to collect RADIUS accounting messages via UDP listener?

We use Microsoft NPS today, but could benefit from the forking and advanced parsing of NXLog.   We send RADIUS accounting messages from multiple network devices and the differences in data layout are bit too much for NPS.

Replies: 5
View post »

I'm currently using nxlog to forward RADIUS messages via syslog to my firewall. However, it has recently started complaining that the packets are too big, and so fragmentation is occurring which it doesn't like. 

The temporary fix was to force the packets to cut at 1450 bytes, and this is my current config: 

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\
SpoolDir  %ROOT%\data

<Extension _xml>
    Module      xm_xml

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

<Extension _exec>
    Module      xm_exec

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);

    # Rotate our log file every week on Sunday at midnight
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);

<Input NPS>
    Module          im_file
    File "C:\Windows\System32\LogFiles\IN*.log"
    InputType LineBased
    SavePos TRUE    
    ReadFromLast TRUE


    # Discard everything that doesn't seem to be an xml event
        if $raw_event !~ /^<Event>/ drop();

    # Filter to only events containing all required data (type, username and ip)
    if $raw_event !~ /(Type\sdata_type="0">)(\d{1,2})(<\/Acct)(.+)(Name\sdata_type="1">)([a-zA-Z0-9\$\._-]{3,15})(.*)(<\/User)(.+)(Address\sdata_type="3">)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(<\/Framed)/ drop ();

    # Truncates event to 1400 bytes due to MTU limits
    $raw_event = substr($raw_event, 0, 1450);

    # Reduces event string to just required data (type, username and ip)

    # Parse xml


<Output Firewall>
    Module      om_udp
    # Put your Firewal Management interface IP address
    # Don't change port or protocol (should be UDP 514 or TCP 6514)
    Port        514

<Output SyslogServer>
    # Put your Syslog Server IP address and port
    # Allows monitoring of messages being sent to firewall
    Module      om_udp
    Port        514

<Route 1>
    Path        NPS => Firewall

<Route 2>
    Path        NPS => SyslogServer

However, I'd prefer a neater solution, rather than just chopping the end off the packet. The only parts of the packet I'm interested in forwarding are:

Event Regex: <Acct-Status-Type\sdata_type="0">1<\/Acct-Status-Type>{1}
Username Regex: <User-Name\sdata_type="1">([a-zA-Z0-9\\\._\-]+)<\/User-Name>
Address Regex: <Framed-IP-Address\sdata_type="3">([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})<\/Framed-IP-Address>

Is there a way to extract just those bits and parse that to the output? 

Apologies if it's obvious, but I don't really understand how nxlog works! Give me powershell and I'm happy.... 


Replies: 1
View post »