7.3 Parsing RADIUS Accounting Files

One of the most useful aspects of RADIUS is the utility of its accounting portion. Logs from the RADIUS accounting server can be used for a multitude of purposes, including billing, usage planning, attack forensics, and auditing. Most Internet service providers have billing systems that directly import, analyze, interpret, and report the data contained within the accounting logs. But for corporate situations in which billing isn't required or for ISPs wanting information not provided by the billing system, it's useful to have a utility that will read the logs and report basic information for the outside of your standard reporting system.

Paul Gregg has created an excellent utility, written in Perl, called RadiusReport that offers this functionality. RadiusReport allows you to import log files and create different reports based on their contents. The utility supports the log files that FreeRADIUS generates, and it also has support for the following RADIUS servers:

Livingston Radius, Versions 1.16, 2.0, and 2.01
Dale Reed's RadiusNT
Merit Radius
Ascend Radius
Radiator
Novell's BorderManager Authentication Services (requires a separate utility to "massage" the format of the logs)

RadiusReport will generate all sorts of useful reports, including the projected telephone bill, reporting filtering based on specific months if you have multiple periods aggregated into a single file and parsing based on interim months. The reports are configured and constructed from command-line flags issued with the program call. The program will even read a compressed file, in case you use gzip or tar to compress and archive your old accounting logs.

RadiusReport is a Perl program, so it requires Version 5 of the language to be installed on the system. It also requires the POSIX module, which comes bundled with the Perl language in most cases. The utility needs POSIX compliance to correctly translate record date information into a timestamp field if your server doesn't make a timestamp.

RadiusReport can be downloaded from Paul Gregg's web site at http://www.pgregg.com/projects/radiusreport/.

7.3.1 Generating Reports

This section details the command-line flags necessary to instruct RadiusReport to generate specific types of reports. Table 7-1 lists the various parameters that can be issued to the program at runtime.

Table 7-1. RadiusReport command-line parameters

Parameter	Function
-f	Designates the raw log file from which to create the report
-h	Creates report without header and footer text
-I	Generates a report on IP addresses
-l	Specifies a user ; use `all` for all users
-o	Creates individual report files for each user
-r	Generates a report on the most recent login times
-tba	Generates a full, detailed report
-tbac	Generates a full, detailed report with telephone company cost analysis

7.3.1.1 Example reports

The following command produces a minimal report for a specific user:

radiusreport -l rneis -f /var/adm/radacct/ptmstr-clt-1/detail

The resulting report looks similar to this:

Radius Log Report for: rneis
Date     Login    Logout   Ontime  Port
------------------------------------------------------------------------
28/05/02 18:07:01 19:22:14  15m13s A3
29/05/02 10:36:18 11:26:37  50m19s A7

Issue the following command to produce a full report for a specific user:

radiusreport -tba -l rneis -f /var/adm/radacct/ptmstr-clt-1/detail

The result:

Radius Log Report for: rneis
Date     Login    Logout   Ontime  Port BW-In/Out       Total
------------------------------------------------------------------------
28/05/02 13:18:19 13:38:07  19m48s A5   120.1K/309.3K   0h19m
28/05/02 22:32:24 23:32:17  59m54s A2   218.1K/1.7M     1h19m
29/05/02 19:54:33 21:15:01  80m29s A3   396.7K/1.3M     2h40m
29/05/02 19:33:53 20:05:25  31m32s A3   116.0K/1017.6K  54h24m
29/05/02 22:29:00 01:56:13 207m08s A1   1.2M/5.7M       57h51m
29/05/02 23:33:13 00:40:42  67m30s A2   276.7K/1.0M     58h59m
------------------------------------------------------------------------
  Total Hours:  58h59m
  Average Online times:   1h52m per day,   13h08m per week
  Total Data transferred In/Out: 18.2M/67.8M

The "Port" designation in these reports is the actual port number and an identifiereither A or Ito indicate whether the connection was asynchronous or based over ISDN. Also, the bandwidth statistics are generated based on the RADIUS client machine's transfer amounts and not total outbound bandwidth used.

The following command produces reports for every user for all the dates up to two months previous to the current day (the command should be placed on a single line):

radiusreport -tba -l all -f /var/adm/radacct/ptmstr-clt-1/archives/2002\
     /05/detail:/var/adm/radacct/ptmstr-clt-1/archives/2002/04/detail

The generated report can also be placed inside individual files per user in a specific directory. To do this, make a directory for the output and use the above command with the extra flag -o , followed by the destination directory.

The next command produces a list of users who used IP address 206.229.254.120 . It assumes the log file is in the current directory.

radiusreport -i 206.229.254.120 -f detail

To produce a list of users, along with their last login times, use this command (it also assumes the log file is in the current directory):

radiusreport -r -f detail:detail.lastmonth

This command produces a complete user-to-IP mapping list. The log file is in the current directory in this example as well.

radiusreport -i 0 -f detail

The report generated by this command is a telephone company cost analysis for the user sholmes for April, but includes May's logs as well to ensure coverage of a login on April 30 extending into May 1 or beyond:

radiusreport -tbac -l sholmes -f detail.april:detail.may -d Apr

7.3.2 Using RadiusSplit

Paul Gregg has also created a utility to make the processing of log files go a bit faster by pre-processing them and splitting logs up into per-user files. When this utility, called RadiusSplit, is used in conjunction with RadiusReport, it's not uncommon to have a speed boost on the order of a factor of 100+, simply because log files are smaller and have less data irrelevant to the report being generated. For example, if you're processing a report for all the logins for the user mdunlap in May, the traditional log file would have that data, but also data for all the other users. RadiusReport would have to go record-by-record to determine whether the data pertained to the target user or if it was for another user. By using RadiusSplit, the RadiusReport program can go immediately to the split logs for mdunlap and process his logs immediately, without the extraneous data.

The small, single-file Perl program can be downloaded from Paul Gregg's web site as well at http://www.pgregg.com/projects/radiussplit/. The program reads the accounting log file and places copies of the relevant log file entries into individual user files in the following path :

/path/to/logfiles/yyyy/mm/username

yyyy and mm are the date on which the utility was run.

To use the program, use a standard Linux/Unix file display command and pipe the output to RadiusSplit. For example, for a log file stored in /var/adm/radacct/ptmstr-clt-1/detail , use the following command:

tail -f /var/adm/radacct/ptmstr-clt-1/detail  radiussplit

Then, run RadiusReport, ensuring you include the correct paths to the newly split log files. The process is described in detail earlier in this chapter.