Documentation Center
AlienVault® USM Anywhere™

FreeRADIUS

When you configure FreeRADIUS integration to send log data to USM Anywhere, you can use the FreeRADIUS plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor FreeRADIUS
Device type Network access control
Connection type syslog
Vendor link http://wiki.freeradius.org/config/Logging

Integrating FreeRADIUS

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure FreeRADIUS to send log data over syslog to USM Anywhere

  1. Log into the system hosting FreeRADIUS.
  2. Edit the /etc/freeradius/radius.conf file to match the following:

    logdir = syslog

    log_destination = syslog

     

    log {

    destination = syslog

    syslog_facility = daemon

    stripped_names = no

    auth = yes

    auth_badpass = no

    auth_goodpass = no

    }

  3. Edit the /etc/syslog.conf file to match the following:

    # .=notice logs authentication messages (L_AUTH).

    # <facility_name>.=notice @<IP_address_of_USM_Anywhere_Sensor>

    # .=err logs module errors for FreeRADIUS.

    # <facility_name>.=err @<IP_address_of_USM_Anywhere_Sensor>

    # .* logs messages to the same target.

    # <facility_name>.* @<IP_address_of_USM_Anywhere_Sensor>

    Where:

    facility_name = any facility of your choice, for example, local1

  4. To configure a log option, remove the pound sign from one of the active lines containing an anpersand (@).

    The configuration should load automatically.

  5. If the configuration does not load automatically, restart the syslog daemon.

    The method to restart the daemon depends on the distribution in use:

    OS Distribution Daemon Restart Command
    RedHat service syslog restart
    Debian/Ubuntu /etc/init.d/syslog restart
    FreeBSD /etc/rc.d/syslogd restart
  6. Add the following options to the FreeRADIUS startup script:

    -l syslog

    -g <facility_name>

  7. Restart FreeRADIUS.

Plugin Enablement

The FreeRADIUS plugin automatically processes all messages whose syslog tag matches the value radiusd.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • audit_reason

  • customfield_0

  • customfield_1

  • customfield_2

  • customfield_4

  • customheader_0

  • customheader_1

  • customheader_2

  • customheader_4

  • event_description

  • event_name

  • event_outcome

  • file_name

  • highlight_fields

  • plugin_device

  • plugin_rule

  • rep_device_hostname

  • source_address

  • source_hostname

  • source_mac

  • source_port

  • source_username

  • source_vhost

  • transient

  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://wiki.freeradius.org/guide/Troubleshooting