Hi team,
I am sending freeradius accouting logs to graylog.
The format is like this
Apr 24 10:57:09 auth1 radius-act: User-Name = "test@test.com"
Apr 24 10:57:09 auth1 radius-act: Framed-Protocol = PPP
Apr 24 10:57:09 auth1 radius-act: Delegated-IPv6-Prefix = 2401:7840:200:e400::/56
Apr 24 10:57:09 auth1 radius-act: Framed-Interface-Id = 0:0:0:5a
Apr 24 10:57:09 auth1 radius-act: Acct-Authentic = RADIUS
Apr 24 10:57:09 auth1 radius-act: ERX-Dhcp-Mac-Addr = “0007.721f.5d4b”
Apr 24 10:57:09 auth1 radius-act: NAS-Port = 18509
Apr 24 10:57:09 auth1 radius-act: NAS-Port-Type = Ethernet
Apr 24 10:57:09 auth1 radius-act: ERX-Output-Gigapkts = 0
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Octets = 76
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Octets = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Packets = 1
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Packets = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: Actual-Data-Rate-Upstream = 1053
Apr 24 10:57:09 auth1 radius-act: Actual-Data-Rate-Downstream = 9756
Apr 24 10:57:09 auth1 radius-act: ERX-DownStream-Calc-Rate = 9756
Apr 24 10:57:09 auth1 radius-act: ERX-UpStream-Calc-Rate = 1053
Apr 24 10:57:09 auth1 radius-act: NAS-IP-Address = 172.30.7.43
Apr 24 10:57:09 auth1 radius-act: Tmp-String-9 = “ai:”
Apr 24 10:57:09 auth1 radius-act: Acct-Unique-Session-Id = “4e7e2e31e0a7a14de981db60ef1a861c”
Apr 24 10:57:09 auth1 radius-act: Timestamp = 1524524224
Apr 24 10:57:09 auth1 radius-act: Tue Apr 24 10:57:04 2018
Apr 24 10:57:09 auth1 radius-act: Acct-Status-Type = Interim-Update
Apr 24 10:57:09 auth1 radius-act: Acct-Session-Id = “21966”
Apr 24 10:57:09 auth1 radius-act: Acct-Input-Octets = 573510893
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Octets = 1475263766
Apr 24 10:57:09 auth1 radius-act: Acct-Session-Time = 237244
Apr 24 10:57:09 auth1 radius-act: Acct-Input-Packets = 3592796
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Packets = 8176405
Apr 24 10:57:09 auth1 radius-act: Acct-Delay-Time = 0
Apr 24 10:57:09 auth1 radius-act: ERX-Dhcp-Mac-Addr = “8447.651b.9774”
Apr 24 10:57:09 auth1 radius-act: ERX-Input-Gigapkts = 0
Apr 24 10:57:09 auth1 radius-act: Acct-Input-Gigawords = 0
Apr 24 10:57:09 auth1 radius-act: NAS-Port = 4095
Apr 24 10:57:09 auth1 radius-act: NAS-Port-Type = Ethernet
Apr 24 10:57:09 auth1 radius-act: ERX-Output-Gigapkts = 0
Apr 24 10:57:09 auth1 radius-act: Acct-Output-Gigawords = 2
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Input-Octets = 173056073
Apr 24 10:57:09 auth1 radius-act: ERX-IPv6-Acct-Output-Octets = 1301313462
Apr 24 10:57:09 auth1 radius-act: Timestamp = 1524524224
The problem is i see this separated into a line. so there are around 20-30 lines for one user’s log after every couple of minutes. i don’t have a way to search coz everything is mixed up. Currently i am using Syslog UDP input. Is there anyway i can combine them for easy search.
Thanks