Input formats issue?

Hi team,
I am sending freeradius accouting logs to graylog.
The format is like this

Apr 24 10:57:09 auth1 radius-act: User-Name = "test@test.com"
Apr 24 10:57:09 auth1 radius-act: Framed-Protocol = PPP
Apr 24 10:57:09 auth1 radius-act: Delegated-IPv6-Prefix = 2401:7840:200:e400::/56
Apr 24 10:57:09 auth1 radius-act: Framed-Interface-Id = 0:0:0:5a
Apr 24 10:57:09 auth1 radius-act: Acct-Authentic = RADIUS
Apr 24 10:57:09 auth1 radius-act: ERX-Dhcp-Mac-Addr = “0007.721f.5d4b”
Apr 24 10:57:09 auth1 radius-act: NAS-Port = 18509
Apr 24 10:57:09 auth1 radius-act: NAS-Port-Type = Ethernet
Apr 24 10:57:09 auth1 radius-act: ERX-Output-Gigapkts = 0
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Octets = 76
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Octets = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Packets = 1
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Packets = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: Actual-Data-Rate-Upstream = 1053
Apr 24 10:57:09 auth1 radius-act: Actual-Data-Rate-Downstream = 9756
Apr 24 10:57:09 auth1 radius-act: ERX-DownStream-Calc-Rate = 9756
Apr 24 10:57:09 auth1 radius-act: ERX-UpStream-Calc-Rate = 1053
Apr 24 10:57:09 auth1 radius-act: NAS-IP-Address = 172.30.7.43
Apr 24 10:57:09 auth1 radius-act: Tmp-String-9 = “ai:”
Apr 24 10:57:09 auth1 radius-act: Acct-Unique-Session-Id = “4e7e2e31e0a7a14de981db60ef1a861c”
Apr 24 10:57:09 auth1 radius-act: Timestamp = 1524524224
Apr 24 10:57:09 auth1 radius-act: Tue Apr 24 10:57:04 2018
Apr 24 10:57:09 auth1 radius-act: Acct-Status-Type = Interim-Update
Apr 24 10:57:09 auth1 radius-act: Acct-Session-Id = “21966”
Apr 24 10:57:09 auth1 radius-act: Acct-Input-Octets = 573510893
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Octets = 1475263766
Apr 24 10:57:09 auth1 radius-act: Acct-Session-Time = 237244
Apr 24 10:57:09 auth1 radius-act: Acct-Input-Packets = 3592796
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Packets = 8176405
Apr 24 10:57:09 auth1 radius-act: Acct-Delay-Time = 0
Apr 24 10:57:09 auth1 radius-act: ERX-Dhcp-Mac-Addr = “8447.651b.9774”
Apr 24 10:57:09 auth1 radius-act: ERX-Input-Gigapkts = 0
Apr 24 10:57:09 auth1 radius-act: Acct-Input-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: NAS-Port = 4095
Apr 24 10:57:09 auth1 radius-act: NAS-Port-Type = Ethernet
Apr 24 10:57:09 auth1 radius-act: ERX-Output-Gigapkts = 0
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Gigawords = 2
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Octets = 173056073
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Octets = 1301313462
Apr 24 10:57:09 auth1 radius-act: Timestamp = 1524524224

The problem is i see this separated into a line. so there are around 20-30 lines for one user’s log after every couple of minutes. i don’t have a way to search coz everything is mixed up. Currently i am using Syslog UDP input. Is there anyway i can combine them for easy search.

Thanks

I have just found this. I think this will do the job. but dont know how to add that as an input ?
https://raw.githubusercontent.com/jothoma1/graylog-contentpack-freeradius/master/content_pack.json

Ok that pack did not help.
Now i need to find a way create custom input or something like that.
Anyone can guide please?

If there’s a clear marker for the beginning and end of such a log message, you could use the Logstash multiline codec or Filebeat to combine these lines into a single log message.

Thanks J,

Can you please give me an example? yes i have a kind of start and end marker.

There are a few examples on the documentation pages I’ve linked to.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.