I was directed here by a tech support agent for LEM. I'm trying to get SW to help me create a connector for log events coming from our AAA server, which is a product running on a windows 2008 (R1, 32 bit) server that runs on perl executables called "Radiator", it's created by open.com.au. it requires perl and can run on windows or linux, and if you run on windows using LSA call, you can utilize passthru authentication from the windows hostts,... meaning I have activeperl installed... anyway, what's going on is this AAA server is used for all of our network equipment (routers, switches, firewalls) to have AAA logging centralized, and then we're using a translator product on the AAA server called "log manager" which views the AAA service logging file directory and pipes those messages that are generated by the .log files through UDP port 514 over to the LEM server, and the format that they're coming in is fairly specific...based on date/time for each new entry. My request has to do with creating a new connector so we can filter out these specific messages coming from the AAA logging to where we can see what's going on from the AAA server standpoint on LEM, along with everything else we're seeing from LEM.
Here's an example of a connection from a computer (192.168.64.129) to a router/switch (192.168.68.2) and the whole session of what we'd see on the AAA server log, each bullet point is a log entry and the entry delimiter is using this as its standard notation:
so with that in mind, here's a conversation that our AAA server logged and piped over to the LEM via syslog that we would like to be able to easily see with a filter in the LEM console:
- Thu Jul 25 10:34:00 2013: DEBUG: New TacacsplusConnection created for 192.168.68.2:26217
- Thu Jul 25 10:34:01 2013: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 1644746832, 114
- Thu Jul 25 10:34:01 2013: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 15, 1, 1, orionncmuser, tty1, 192.168.64.129, 5, task_id=3923 timezone=CDT service=shell priv-lvl=15 cmd=show running-config <cr>
- Thu Jul 25 10:34:01 2013: DEBUG: TACACSPLUS derived Radius request packet dump:
NAS-IP-Address = 192.168.68.2
NAS-Port-Id = "tty1"
Calling-Station-Id = "192.168.64.129"
User-Name = "orionncmuser"
Acct-Status-Type = Stop
Acct-Session-Id = "1644746832"
cisco-avpair = "task_id=3923"
cisco-avpair = "timezone=CDT"
cisco-avpair = "service=shell"
cisco-avpair = "priv-lvl=15"
cisco-avpair = "cmd=show running-config <cr>"
OSC-Version-Identifier = "192"
- Thu Jul 25 10:34:01 2013: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
- Thu Jul 25 10:34:01 2013: DEBUG: Deleting session for orionncmuser, 192.168.68.2,
- Thu Jul 25 10:34:01 2013: DEBUG: Handling with Radius::AuthLSA:
- Thu Jul 25 10:34:01 2013: DEBUG: AuthBy LSA result: ACCEPT,
- Thu Jul 25 10:34:01 2013: DEBUG: Accounting accepted
- Thu Jul 25 10:34:01 2013: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
- Thu Jul 25 10:34:01 2013: DEBUG: TacacsplusConnection result Accounting-Response
- Thu Jul 25 10:34:01 2013: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
- Thu Jul 25 10:34:01 2013: DEBUG: TacacsplusConnection disconnected from 192.168.68.2:26217
you can see some of the log entries have multiple lines, some have just one line... but the delimiter for each log entry is the "dayofweek month day# time year" formatting before the ":"
If anyone has any thoughts on this i would GREATLY appreciate it...