Example configuration for logstash/elasticsearch
================================================

So you've got all these RADIUS logs, but how do you analyse them? What is the
easiest way to query the logs, find out when a client connected or
disconnected, or view the top ten clients logging into the system over the last
six hours?

The logstash/elasticsearch/kibana stack is designed and built to do just that.
elasticsearch is a search engine; logstash is commonly used to feed data in,
and kibana the web interface to query the logs in near real time.

Installing the ELK stack is beyond the scope of this document, but can be done
in a short amount of time by any competent sysadmin. Then comes getting the
logs in.

This directory contains the following files as a starting point for feeding
RADIUS logs into elasticsearch via logstash.

Files
-----

Please note that all files should be reviewed before use to determine if they
are suitable for your configuration/system.

radius-mapping.sh

  Each elasticsearch index needs a mapping to describe how fields are stored.
  If one is not provided then all is not lost as elasticsearch will build one
  on the fly. However, this may not be optimal, especially for RADIUS data, as
  all fields will be analyzed making some visualisations hard or impossible
  (such as showing top N clients).

  This shell script (which just runs curl) pushes a template mapping into the
  elasticsearch cluster.


radius.conf

  A sample configuration file for logstash that parses RADIUS 'detail' files.
  It processes these by joining each record onto one line, then splitting the
  tab-delimited key-value pairs out.

  The file will need to be edited at least to set the input method: for
  experimentation the given input (stdin) may be used. If logstash is running on
  the RADIUS server then 'file' input may be appropriate, otherwise a different
  input such as log-courier or logstash-forwarder may be better to get the data
  over the network to the logstash server.


Example usage
-------------

Install mapping (only needs to be done once):
$ ./radius-mapping.sh

Feed a detail file in:
$ /path/to/logstash -f radius.conf < acct-detail


See also
--------

elasticsearch web site: http://www.elastic.co/



Matthew Newton
April 2015

