I know very little about logs, and how to sort/filter or anything like that. I have graylog setup and my UDMP dumps or forwards logs to it, I have input setup, pushed into a stream and all that - I can search the logs for the user that logs in, the connection being established, l2tp that type of thing…
I need someway to pull connection/disconnect and length of connection if that’s possible?
Some example messages
udm-1.12.22.4309 charon: 06[IKE] IKE_SA lns-l2tp-server[20] established between x.x.185.124[x.1x.185.124]…x.x.149.73[192.168.2.240]
(this is from the radius on the UDMP, when I go live this will be coming from NPS instead)
message
4105ace6e6d5,udm-1.12.22.4309 radiusd[2170]: (1) Login OK: [user] (from client client-client-600ee7ac4cc298050bffb2e8 port 100000
When I use Teleport it shows when a user connects/disconnects - but I still need a way to format that data into something to show metrics or something along those lines. (I won’t be using teleport for my users as we have utilize MFA)
4105ace6e6d5,udm-1.12.22.4309 ubios-udapi-server: res-vpn-teleport: Starting Teleport daemon
4105ace6e6d5,udm-1.12.22.4309 ubios-udapi-server: res-vpn-teleport: Stopping Teleport daemon
I’m unfamiliar with Unifi dream machine. After reading this post you may want to create a field and dump the data you need in there. You can do this with a Pipeline/Extractor or by using a different INPUT such as GELF.
FYI, when posting logs/configuration and/or command please use the markdown in the test box. This helps others help you. For more information on this you can find it here.
I have several GROC pattern extractors entered in my input - how does it use those to apply them? or how do you use them - is automatic? I assume it is.
As far as GELF - right now I’m set to syslog UDP, if I change it from that to GELF UDP is there anything else I need to do other than that?
I need to see when a user connects - and the length of time they stay connected .
inside ssh if I run ipsec statusall below is what I see (I hope I did it right this time) I’m assuming this information is written to the syslog
looking at the system logs - I’m guessing here on which is connect/disconnect
Somehow I need to turn these into metrics or something of that nature to show what I need, a spreadsheet, table, something
4105ace6e6d5,udm-1.12.22.4309 charon: 07[IKE] IKE_SA lns-l2tp-server[3] established between x.x.x.x[x.x.x.x]...x.x.x.x[192.168.2.240]
4105ace6e6d5,udm-1.12.22.4309 charon: 16[IKE] deleting IKE_SA lns-l2tp-server[1] between x.x.x.x[x.x.x.x]...x.x.x.x[192.168.2.240]
4105ace6e6d5,udm-1.12.22.4309 charon: 16[IKE] closing CHILD_SA lns-l2tp-server{1} with SPIs cac588c9_i (22399477 bytes) 8e9c8f56_o (83504173 bytes) and TS x.x.x.x/32[udp/1701] === x.x.x.x/32[udp/1701]
Question does that message arrive like that and is it all under message field? Or does it come in as single log lines?
I’m not sure, I do know you can create specific fields for IP address and ports either using Extractors or Pipelines. Once the fields are created you should be able create a widget or alert s from there.
I think I finally have a better answer for you - I need to extract 4 fields from the established/deleting tunnel messages I posted earlier.
I need date, time, (established/deleting) for connect/dc, and source address.
I believe these are the two entries I’m looking for - I’m trying to verify that currently
4105ace6e6d5,udm-1.12.22.4309 charon: 07[IKE] IKE_SA lns-l2tp-server[3] established between x.x.x.x[x.x.x.x]...x.x.x.x[192.168.2.240]
4105ace6e6d5,udm-1.12.22.4309 charon: 16[IKE] deleting IKE_SA lns-l2tp-server[1] between x.x.x.x[x.x.x.x]...x.x.x.x[192.168.2.240]
Using the pipeline I create above, sent few messages to Graylog for testing. When the pipeline is working as expected, you can remove the debug() configuration.
That’s absolutely wonderful - we’re getting somewhere here! Took me a bit to figure out how to add it, and then get it to show up as a widget or what I did was add from sources|fields (on left menu) then select VPN_Status that you made there - which now that I went back and deleted it, that is in fact a widget but mine looks way different than yours.
I started to write another pipeline when I realized - if you have set field - message - my brain is running in circles trying to make this work.
How do I associate the timestamp with each of those events? And then the 2nd ip listed 10.10.10.5 as the source address (the device connecting to the VPN)
So essentially this ip connected/disconnected at this time so somehow from there I can extrapolate how long they were connect - what a mess
4105ace6e6d5,udm-1.12.22.4309 charon: 15[IKE] IKE_SA lns-l2tp-server[130] established between 54.182.181.136[54.182.181.136]...10.10.10.5[192.168.8.137]
and thank you a ton! This is very helpful, and I really appreciate you assisting me (holding my hand basically here)
What you need if the fields. Or create a Lookup tables and attach it to INPUT.
From what I do not see is a timestamp in those message, Bad but Elasticsearch puts a timestamp on it for you when it indices them. You could use that field.
My best advice would be try it out, if it does not work Post it here what you have tried ( screenshots, Commands, etc…), so we can see what you did and give suggestions to help you. I think I gave you a running start. To be honest this forum does hold a lot a solutions.
Graylog does have a Event Correlation but its a paid version.
Actual this remind me, someone post here… They have a VPN dashboard.
well - good news… I’m getting somewhere after hours of banging my head on the desk! First I wrote a pipeline to add a new corrected time. Then I started thinking about what you said about the time being applied to the message and realized the timezone must be off elsewhere - so I changed the host OS timezone to CST instead of UTC.
I didn’t realize that fixed it, so I applied the pipeline, which - worked after a little trial and error… then I realized I don’t even need it as I have the time and the field I need. At least I learned some on creating these… still a ways to go yet though!
how were you able to input my log message and apply the pipeline you created? My server is down that I normally work off of - I have another up, I have my pipeline, and the log message but not sure how to test it against it until the other server is back up unless I can input both?
On my Graylog Docker i used Nxlog
1.Create a file in /var/log called (test.log)
2.Create a input on nxlog configuration file.
<Input old_log_file>
Module im_file
File "/var/log/text.log"
SavePos TRUE //This saves the Posistion after NXLOg restarts or starts. Set to FALSE to scan all of the Log file. When done sending set it back if need be.
ReadFromLast TRUE //If ReadFromLast is FALSE, the module will read all logs from the file. .
PollInterval 1
</Input>
3.Save & Exit
4.In the text file copy and paste logs.
I’m very excited - your pipeline helped me get going on this but I completely changed how that was done in the end. At first I was going to create separate rules to process each thing, but after researching and learning more about extracting this data I realized I could do it all in 1 go, so I created a grok pattern to extract all of it.
Once I did that I even added Geo IP location to my pipeline, I have all the data I needed extracted. Now to figure out how to put that in some sort of report… 1 step at a time, but I’m getting there!
