Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Need to relate Radius log entries to DHCP ones

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Need to relate Radius log entries to DHCP ones
# 1  
Old 12-13-2008
Need to relate Radius log entries to DHCP ones
Hi, let say i have 2 log files(they are below) dhcp and radius. What i need is to put the information to a file just from good connections ( Auth: Login OK ) others just ignore. And the information should look like: time, login name, mac, ip, server. But the trouble is that from radius log i get different looking macs like 001cbf9bb638, 00-1c-bf-9b-b6-38 but in dhcp it always looks like this 00:48:54:52:3b:bb. The main question would be how can i now if it is a mac adress(what command sould help) and how can i convert to dhcp stile (00:48:54:52:3b:bb like this). Thanks being pacient reading this Smilie

RADIUS
Code:
Thu Dec  4 07:24:54 2008 : Auth: Login OK: [kava4186] (from client LINKSYS3 port 0 via TLS tunnel)
Thu Dec  4 07:24:54 2008 : Auth: Login OK: [kava4186] (from client LINKSYS3 port 21 cli 001cbf9bb638)
Thu Dec  4 07:50:52 2008 : Auth: Login OK: [limo5625] (from client LINKSYS3 port 0 via TLS tunnel)
Thu Dec  4 07:50:52 2008 : Auth: Login OK: [limo5625] (from client LINKSYS3 port 12 cli 0013e80a5b5d)
Thu Dec  4 08:00:14 2008 : Auth: Login OK: [boda7805] (from client LINKSYS3 port 0 via TLS tunnel)
Thu Dec  4 08:00:14 2008 : Auth: Login OK: [boda7805] (from client LINKSYS3 port 33 cli 0015afecda17)
Thu Dec  4 08:00:50 2008 : Error: rlm_eap: UserIdentity Unknown 
Thu Dec  4 08:00:50 2008 : Error: rlm_eap: Identity Unknown, authentication failed
Thu Dec  4 08:00:50 2008 : Auth: Login incorrect: [<no User-Name attribute>] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)
Thu Dec  4 08:00:52 2008 : Error: rlm_eap: UserIdentity Unknown 
Thu Dec  4 08:00:52 2008 : Error: rlm_eap: Identity Unknown, authentication failed
Thu Dec  4 08:00:52 2008 : Auth: Login incorrect: [<no User-Name attribute>] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)
Thu Dec  4 08:03:06 2008 : Auth: Login incorrect (rlm_ldap: User not found): [ADMIN\\Adminas] (from client WILI-08 port 0 via TLS tunnel)
Thu Dec  4 08:03:06 2008 : Auth: Login incorrect: [ADMIN\\Adminas] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)
Thu Dec  4 08:03:08 2008 : Error: rlm_eap: No EAP session matching the State variable.
Thu Dec  4 08:03:08 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
Thu Dec  4 08:03:08 2008 : Auth: Login incorrect: [ADMIN\\Adminas] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)
Thu Dec  4 08:03:10 2008 : Auth: Login incorrect (rlm_ldap: User not found): [ADMIN\\Adminas] (from client WILI-08 port 0 via TLS tunnel)
Thu Dec  4 08:03:10 2008 : Auth: Login incorrect: [ADMIN\\Adminas] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)
Thu Dec  4 08:03:13 2008 : Auth: Login incorrect (rlm_ldap: User not found): [ADMIN\\Adminas] (from client WILI-08 port 0 via TLS tunnel)
Thu Dec  4 08:03:13 2008 : Auth: Login incorrect: [ADMIN\\Adminas] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)
Thu Dec  4 08:03:15 2008 : Error: rlm_eap: No EAP session matching the State variable.
Thu Dec  4 08:03:15 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
Thu Dec  4 08:03:15 2008 : Auth: Login incorrect: [ADMIN\\Adminas] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)
Thu Dec  4 08:03:48 2008 : Auth: Login incorrect (rlm_ldap: User not found): [ADMIN\\Adminas] (from client WILI-08 port 0 via TLS tunnel)
Thu Dec  4 08:04:01 2008 : Auth: Login OK: [JOMO6060] (from client WILI-08 port 0 via TLS tunnel)
Thu Dec  4 08:04:01 2008 : Auth: Login OK: [JOMO6060] (from client WILI-08 port 8 cli 00-17-31-AA-2D-77)

Dhcp
Code:
Dec  4 07:24:54 sunfire1 dhcpd: DHCPREQUEST for 192.168.1.100 from 00:1c:bf:9b:b6:38 via em3: wrong network.
Dec  4 07:24:54 sunfire1 dhcpd: DHCPNAK on 192.168.1.100 to 00:1c:bf:9b:b6:38 via em3
Dec  4 07:24:55 sunfire1 dhcpd: DHCPREQUEST for 192.168.4.5 from 00:06:4f:02:00:52 via em2
Dec  4 07:24:55 sunfire1 dhcpd: DHCPACK on 192.168.4.5 to 00:06:4f:02:00:52 via em2
Dec  4 07:24:56 sunfire1 dhcpd: DHCPDISCOVER from 00:1c:bf:9b:b6:38 via em3
Dec  4 07:24:57 sunfire1 dhcpd: DHCPOFFER on 10.2.247.225 to 00:1c:bf:9b:b6:38 (karolis) via em3
Dec  4 07:24:57 sunfire1 dhcpd: DHCPREQUEST for 10.2.247.225 (10.255.255.1) from 00:1c:bf:9b:b6:38 (karolis) via em3
Dec  4 07:24:57 sunfire1 dhcpd: DHCPACK on 10.2.247.225 to 00:1c:bf:9b:b6:38 (karolis) via em3
Dec  4 07:25:00 sunfire1 dhcpd: DHCPREQUEST for 192.168.3.4 from 00:30:4f:06:66:a3 via em2
Dec  4 07:25:00 sunfire1 dhcpd: DHCPACK on 192.168.3.4 to 00:30:4f:06:66:a3 via em2
Dec  4 07:25:01 sunfire1 dhcpd: uid lease 192.168.46.131 for client 00:1f:29:2c:49:96 is duplicate on itc
Dec  4 07:25:01 sunfire1 dhcpd: DHCPREQUEST for 192.168.45.129 from 00:1f:29:2c:49:96 via em2
Dec  4 07:25:01 sunfire1 dhcpd: DHCPACK on 192.168.45.129 to 00:1f:29:2c:49:96 via em2
Dec  4 07:25:07 sunfire1 dhcpd: DHCPREQUEST for 192.168.42.7 from 00:11:09:13:a0:0b via em2
Dec  4 07:25:07 sunfire1 dhcpd: DHCPACK on 192.168.42.7 to 00:11:09:13:a0:0b via em2
Dec  4 07:25:10 sunfire1 dhcpd: DHCPINFORM from 10.2.247.225 via em3
Dec  4 07:25:10 sunfire1 dhcpd: DHCPACK to 10.2.247.225 (00:1c:bf:9b:b6:38) via em3
Dec  4 07:25:16 sunfire1 dhcpd: DHCPREQUEST for 192.168.44.33 from 00:14:4f:26:d9:66 via em2
Dec  4 07:25:16 sunfire1 dhcpd: DHCPACK on 192.168.44.33 to 00:14:4f:26:d9:66 via em2
Dec  4 07:25:22 sunfire1 dhcpd: DHCPINFORM from 192.168.5.6 via em2
Dec  4 07:25:22 sunfire1 dhcpd: DHCPACK to 192.168.5.6 (00:06:4f:02:00:51) via em2
Dec  4 07:25:25 sunfire1 dhcpd: DHCPINFORM from 192.168.5.6 via em2
Dec  4 07:25:25 sunfire1 dhcpd: DHCPACK to 192.168.5.6 (00:06:4f:02:00:51) via em2
Dec  4 07:25:26 sunfire1 dhcpd: DHCPREQUEST for 193.219.42.107 from 00:40:f4:bd:5e:d6 (ragaisiopc) via em0
Dec  4 07:25:26 sunfire1 dhcpd: DHCPACK on 193.219.42.107 to 00:40:f4:bd:5e:d6 (ragaisiopc) via em0
Dec  4 07:25:27 sunfire1 dhcpd: DHCPREQUEST for 192.168.7.3 from 00:06:4f:02:00:59 via em2
Dec  4 07:25:27 sunfire1 dhcpd: DHCPACK on 192.168.7.3 to 00:06:4f:02:00:59 via em2
Dec  4 07:25:43 sunfire1 dhcpd: DHCPREQUEST for 192.168.44.25 from 00:14:4f:1f:b7:21 via em2
Dec  4 07:25:43 sunfire1 dhcpd: DHCPACK on 192.168.44.25 to 00:14:4f:1f:b7:21 via em2
Dec  4 07:25:44 sunfire1 dhcpd: DHCPREQUEST for 172.16.42.11 from 00:01:e6:ad:9d:71 via em0
Dec  4 07:25:44 sunfire1 dhcpd: DHCPACK on 172.16.42.11 to 00:01:e6:ad:9d:71 via em0
Dec  4 07:25:47 sunfire1 dhcpd: DHCPREQUEST for 192.168.5.7 from 00:06:4f:02:54:b1 via em2
Dec  4 07:25:47 sunfire1 dhcpd: DHCPACK on 192.168.5.7 to 00:06:4f:02:54:b1 via em2
Dec  4 07:25:49 sunfire1 dhcpd: DHCPREQUEST for 192.168.9.1 from 00:50:22:82:63:77 via em2
Dec  4 07:25:49 sunfire1 dhcpd: DHCPACK on 192.168.9.1 to 00:50:22:82:63:77 via em2
Dec  4 07:25:55 sunfire1 dhcpd: DHCPREQUEST for 10.2.254.211 from 00:06:4f:03:63:09 (hr) via em3
Dec  4 07:25:55 sunfire1 dhcpd: DHCPACK on 10.2.254.211 to 00:06:4f:03:63:09 (hr) via em3
Dec  4 07:26:05 sunfire1 dhcpd: DHCPREQUEST for 193.219.42.92 from 00:50:22:8d:9c:5b (biblio-stud) via em0
Dec  4 07:26:05 sunfire1 dhcpd: DHCPACK on 193.219.42.92 to 00:50:22:8d:9c:5b (biblio-stud) via em0
Dec  4 07:26:12 sunfire1 dhcpd: DHCPREQUEST for 192.168.45.111 from 00:1a:a0:60:31:2c via em2
Dec  4 07:26:12 sunfire1 dhcpd: DHCPACK on 192.168.45.111 to 00:1a:a0:60:31:2c via em2

# 2  
Old 12-14-2008
no ideas?
# 3  
Old 12-14-2008
So you need the MAC address and the IP address from the DHCP server??

Use awk or perl to scan in the DHCP file and remember mac/ip's. Then scan in the radius log, matching MACs to the hash-array used in step 1. Print the line from radius log with the extra info:
Code:
#!/usr/bin/perl

# To use: script dhcp.log radius.log

open(DHCP,shift @ARGV) || die "Cannot open DHCP logfile: $!";
open(RADIUS,shift @ARGV) || die "Cannot open RADIUS logfile: $!";

while (<DHCP>) { 
   next unless /DHCPACK on (\S+) to (\S+)/;
   $mac2ip{ lc($2) } = $1;
}

while (<RADIUS>) { 
   next unless /Auth: Login OK:.* cli (\w+)\)/;
   # remove trailing newline
   chomp;
   # grab mac address.
   $mac=lc($1);
   # convert to dhcp-style
   $mac =~ s/(\w\w)(\w\w)/$1:$2/g;
   # lookup ip from previous step
   $ip = exists $mac2ip{ $mac } ? $mac2ip{ $mac } : "UNKNOWN";
   # print original line with ip info
   print $_," $ip\n";
}

Tweaks might be necessary.
# 4  
Old 12-14-2008
I just realized my solution above won't work as-is. It won't work because over time, a MAC address will be assigned to different IPs. What you can do, then, is merge the two files together by date-time, and then run a modified version of the script:
Code:
{ awk '{ $1=""; print $0; }' radius.log; cat dhcp.log ; } | sort -k 1M,2 -k 2n,3 -k 3,4 -k  4r,5

(The last sort option tries to make sure DHCP always appears first for the same second.)

Now all the lines should be merged in order of time (hopefully). Then the script should work fine. It's basically the same code... just organized differently to process everything in the same stream. For input, provide the sorted output from the step above.

Code:
while (<>) {
 if  (/DHCPACK on (\S+) to (\S+)/) {
      $mac2ip{ lc($2) } = $1
 }
   
 if (/Auth: Login OK:.* cli (\w+)\)/) {
   # remove trailing newline
   chomp;
   # grab mac address.
   $mac=lc($1);
   # convert to dhcp-style
   $mac =~ s/(\w\w)(\w\w)/$1:$2/g;
   # lookup ip from previous step
   $ip = exists $mac2ip{ $mac } ? $mac2ip{ $mac } : "UNKNOWN";
   # print original line with ip info
   print $_," $ip\n";
  }
}

# 5  
Old 12-15-2008
Quote:
Originally Posted by otheus
I just realized my solution above won't work as-is. It won't work because over time, a MAC address will be assigned to different IPs. What you can do, then, is merge the two files together by date-time, and then run a modified version of the script:
Code:
{ awk '{ $1=""; print $0; }' radius.log; cat dhcp.log ; } | sort -k 1M,2 -k 2n,3 -k 3,4 -k  4r,5

(The last sort option tries to make sure DHCP always appears first for the same second.)

Now all the lines should be merged in order of time (hopefully). Then the script should work fine. It's basically the same code... just organized differently to process everything in the same stream. For input, provide the sorted output from the step above.

Code:
while (<>) {
 if  (/DHCPACK on (\S+) to (\S+)/) {
      $mac2ip{ lc($2) } = $1
 }
   
 if (/Auth: Login OK:.* cli (\w+)\)/) {
   # remove trailing newline
   chomp;
   # grab mac address.
   $mac=lc($1);
   # convert to dhcp-style
   $mac =~ s/(\w\w)(\w\w)/$1:$2/g;
   # lookup ip from previous step
   $ip = exists $mac2ip{ $mac } ? $mac2ip{ $mac } : "UNKNOWN";
   # print original line with ip info
   print $_," $ip\n";
  }
}

First of all thanks for your reply, for taking it deeper and writing almost everything :}}} it helps me a lot.
New to perl but thats not a problem. The problem is that i can't run the first script i comes with error that cannot find log file dhcp, i have named it dhcp.log, and radius radius.log. And the biggest problem is that i pasted just a small part of logs thay reach 2mb so merging them takes lots of time. And i noticed that the time differs in some log sentences, so they can't be merged by time i think.
# 6  
Old 12-15-2008
Does this have to be done in "real time"?? Unless you're using a 90's computer, merging a couple of 2 MB files is no big deal.

How does the time differ in some instances? Post those lines and we can figure it out.
# 7  
Old 12-15-2008
i do it in a remote server so it sakes time merging. Bus let's say it doesn't matter, but how i understand the radius time can differ from given acknoligment time (think the ack line is just what i need from that log). I think from radius i should take login and mac, from dhcp ack time, ip, save them two in a temporary files and merge them by mac i don't know.. but i need to make mac readable to dhcp log. And maby do it with sh csh sed awk, because i tried to read pearl, kinda difficult to me. Can u give me a hint of finding the string after cli(where mac adress goes) ill try to convert it whith sed or smth, i know you are sick and tired of such requests but thanks in advance.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

How to relate ipcs id or cpid to process?

Hi, we have multiple database instances running on solaris server like db1, db2 and db3. Below shown ipcs -pmb shared memory segment output. Using cpid value I want to relate to the database instances db1, db2 and db3. Please let me know how to do this? $ ipcs -pmb IPC status from <running... (9 Replies)
Discussion started by: baladelaware73
9 Replies

2. UNIX for Dummies Questions & Answers

Radius

Hi all I have no idea what I am doing, I think I am learning...the previous linux admin left the company and I volunteered to help. My first task is to create a user (X) account in the radius. I was able to do that.. This user (X) will be login in to a cisco device same as user (Z) . ... (3 Replies)
Discussion started by: ciscosteps
3 Replies

3. IP Networking

Get DHCP relay interfaces IP address using DHCP

Hi All , please view the set up below: ------------------------------------------------------------------- | DHCP Server |-----------| ROUTER & |-----------| Clients | | 192.168.99.1 | - -<eth1>| DHCP-RELAY|<eth2>-- | 192.168.88.X | ... (2 Replies)
Discussion started by: gdangoor
2 Replies

4. IP Networking

Wpa_cli with Radius

Hello everyone, I have a question in regards to connecting with wpa_cli to a Radius server. I can connect fine through WPA Enterprise and WPA2 Enterprise, but I'm lost on trying to connect to Radius. wpa_cli -iwlan0 set_network 0 ssid '"ssid"' wpa_cli -iwlan0 set_network 0 key_mgmt WPA-EAP... (0 Replies)
Discussion started by: CobaltT
0 Replies

5. UNIX for Dummies Questions & Answers

remove duplicate entries from dhcp.lease

Hi, I have to parse the dhcp.lease file and have to keep the most recent entry and remove the rest and also the number of lines between any two leases might not always be the same. eg: lease 5.5.5.252 { starts Wed Jul 27 09:48:39 2011 ends Wed Jul 27 21:48:39 2011 tstp Wed Jul... (1 Reply)
Discussion started by: bitspradp
1 Replies

6. UNIX for Dummies Questions & Answers

Why use RADIUS for authentication as there are many ways to do it ?

I guess I probably ask a dumb question but why use RADIUS for authentication as there are many ways to do it, as authentication is basically a user/password check? What is the benifit(s) of using it ? Thanks! (3 Replies)
Discussion started by: qiulang
3 Replies

7. AIX

AIX and radius authentication

We want to use RADIUS to authenticate our AIX server logins. Can anybody tell me how to set on AIX server up to use a Radius server to authenticate or point me to documentation on setting up AIX to use Radius to authenticate user login. Our problem is that we have a few users that access our... (1 Reply)
Discussion started by: daveisme
1 Replies

8. Programming

help with C++ code that relate the object with physical address

I need some help to write a C++ code that read and write the register of a sequencer. I have to make a code that relate the objects with the physical address but I am a bit confuse. Could someone suggest me how to proceed? in which parts do I split the code? thanks (1 Reply)
Discussion started by: silviafisica
1 Replies

9. UNIX for Advanced & Expert Users

radius+ldap

I need your help on how to integrate radius authentication with LDAP users database?? (0 Replies)
Discussion started by: mm00123
0 Replies

10. UNIX for Advanced & Expert Users

Question relate to AWK

Hi, I would like to setup a FOR loop script to find out all the existing linux workstation in the network w/ ip address, hostname and linux version. I created a basic FOR loop script: for i in $(seq 1 254) do echo 10.72.169.$i >> result ssh -o ConnectTimeout=3 root@10.72.169.$i... (14 Replies)
Discussion started by: beeloo
14 Replies
Login or Register to Ask a Question