1
response

Hi,

I'm currently using nxlog to forward RADIUS messages via syslog to my firewall. However, it has recently started complaining that the packets are too big, and so fragmentation is occurring which it doesn't like.

The temporary fix was to force the packets to cut at 1450 bytes, and this is my current config:

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _xml>
Module xm_xml
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

<Input NPS>
Module im_file
File "C:\Windows\System32\LogFiles\IN*.log"
InputType LineBased
SavePos TRUE
ReadFromLast TRUE

<Exec>

# Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<Event>/ drop();

# Filter to only events containing all required data (type, username and ip)
if $raw_event !~ /(Type\sdata_type="0">)(\d{1,2})(<\/Acct)(.+)(Name\sdata_type="1">)([a-zA-Z0-9\$\._-]{3,15})(.*)(<\/User)(.+)(Address\sdata_type="3">)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(<\/Framed)/ drop ();

# Truncates event to 1400 bytes due to MTU limits
$raw_event = substr($raw_event, 0, 1450);

# Reduces event string to just required data (type, username and ip)

# Parse xml
parse_xml();

</Exec>
</Input>

<Output Firewall>
Module om_udp
# Put your Firewal Management interface IP address
# Don't change port or protocol (should be UDP 514 or TCP 6514)
Host 192.168.1.1
Port 514
</Output>

<Output SyslogServer>
# Put your Syslog Server IP address and port
# Allows monitoring of messages being sent to firewall
Module om_udp
Host 192.168.1.10
Port 514
</Output>

<Route 1>
Path NPS => Firewall
</Route>

<Route 2>
Path NPS => SyslogServer
</Route>

However, I'd prefer a neater solution, rather than just chopping the end off the packet. The only parts of the packet I'm interested in forwarding are:

Event Regex: <Acct-Status-Type\sdata_type="0">1<\/Acct-Status-Type>{1}
Username Regex: <User-Name\sdata_type="1">([a-zA-Z0-9\\\._\-]+)<\/User-Name>
Address Regex: <Framed-IP-Address\sdata_type="3">([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})<\/Framed-IP-Address>

Is there a way to extract just those bits and parse that to the output?

Apologies if it's obvious, but I don't really understand how nxlog works! Give me powershell and I'm happy....

Thanks,
Stephen

AskedDecember 8, 2020 - 7:15pm

Answer (1)

Hi Stephen,

NXLog Enterprise Edition is already engaged with some nice Radius functionalities - have you considered trying it? Please, take a look at xm_nps module, as well as at the other stuff present in this version.

Other than that, I don't have an instant solution, although as I see, your is not bad at all. However, I'll be back when I figure something out.

Best regards,
Rafal