radius.grok

# Grok filters for radius logs

# Basic grok filters
RADIUS_USERNAME %{USERNAME:user}(@%{HOSTNAME:realm})?

#### All logs are checked with TravisCI tests. The following logs are checked
### Succesful login
# 1 Login OK: [user@example.com] (from client client.example.com port 12 cli D0-B2-12-B4-F7-BB via TLS tunnel)
# 2 Login OK: [user@example.com] (from client client.example.com port 1 cli D0-B2-12-B4-F7-BB)
# 3 Login OK: [user@example.com] (from client client.example.com port 0 via TLS tunnel)
### Login incorrect
# 4 Login incorrect (Home Server says so): [user@example.com] (from client client.example.com port 2 cli D0-B2-12-B4-F7-BB)
# 5 Login incorrect (  [ldap] User not found): [user@example.com] (from client client.example.com port 9 cli D0-B2-12-B4-F7-BB via TLS tunnel)
# 6 Login incorrect: [user@example.com] (from client client.example.com port 33 cli D0-B2-12-B4-F7-BB via TLS tunnel)
# 7 Login incorrect: [user] (from client client.example.com port 6 cli D0-B2-12-B4-F7-BB)
RADIUS_LOGIN %{DATA:status}( \(%{SPACE}%{DATA:error}\))?: \[%{RADIUS_USERNAME:username}\] \(from client %{DATA:client} port %{NUMBER}( cli %{MAC:mac})?

# 8 Login incorrect: [<no User-Name attribute>] (from client client.example.com port 8102 cli D0-B2-12-B4-F7-BB)
RADIUS_LOGINFAILED_NOUSERNAME %{DATA:status}: \[\<%{DATA:error}\>\] \(from client %{DATA:client} port %{NUMBER} cli %{MAC:mac}

### Other log
# 9 rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
# 10 rlm_radutmp: Logout entry for NAS aps1.osicljutomer port 1 has wrong ID
# 11 rlm_sql_mysql: Starting connect to MySQL server for #9
# 12 rlm_sql (sql): Connected new DB handle, #9
RADIUS_ERROR rlm_%{DATA:module}( %{DATA})?: %{GREEDYDATA:error}

RADIUS (%{RADIUS_LOGIN}|%{RADIUS_LOGINFAILED_NOUSERNAME}|%{RADIUS_ERROR})