Logging
RRAS 日誌的未辨識佈局
我偶然發現了一個未知的佈局,沒有標題,NPS 日誌解釋器和IAS 日誌查看器似乎都無法理解。我的 Google-fu 用完了,我發現關於它的文件為零。
行是這樣的:
server, "RAS", date, time, packet type?, username (sometimes has domain), username (always has domain), ip, ip, , ip, server, ip, numbers, ip, server, random number?, , 5, , 1, 2, 4/5, string, 0/68, string, empty/60, empty/1800, string, 1/2, , random number?, random number?, port?, empty/3, random/empty, random/empty, random/empty, empty/1, port?, empty/1, , emtpy/1, empty/1, ip, ip, , , , , , , string, 311, , hex string, number, number, policy?, 1, , , , hostname?, string我覺得我以前偶然發現過這個,但到目前為止,我發現了 3 種不同的佈局來處理 RRAS 日誌,但沒有一個適合這些行。
探勘並找到了一個帶有佈局的舊 logstash conf 文件!
"ComputerName","ServiceName","RecordDate","RecordTime","PacketType","UserName","FQDN","CalledStationID","CallingStationID","CallbackNumber","FramedIPAddress","NASIdentifier","NASIPAddress","NASPort","ClientVendor","ClientIPAddress","ClientFriendlyName","EventTimestamp","PortLimit","NASPortType","ConnectInfo","FramedProtocol","ServiceType","AuthenticationType","PolicyName","ReasonCode","Class","SessionTimeout","IdleTimeout","TerminationAction","EAPFriendlyName","AcctStatusType","AcctDelayTime","AcctInputOctets","AcctOutputOctets","AcctSessionID","AcctAuthentic","AcctSessionTime","AcctInputPackets","AcctOutputPackets","AcctTerminateCause","AcctMultiSsnID","AcctLinkCount","AcctInterimInterval","TunnelType","TunnelMediumType","TunnelClientEndpt","TunnelServerEndpt","AcctTunnelConn","TunnelPvtGroupID","TunnelAssigntmentID","TunnelPreference","MSAcctAuthType","MSAcctEAPType","MSRASVersion","MSRASVendor","MSCHAPError","MSCHAPDomain","MSMPPEEncryptionTypes","MSMPPEEncryptionPolicy","ProxyPolicyName","ProviderType","ProviderName","RemoteServerAddress","MSRASClientName","MSRASClientVersion"但是,如果有人能找到解釋這一點的來源,我將非常感激!