Examples

This page provides some real world scenarios giving you guidance on how to configure the Log Exporter for your scenario.

Example 1: General authentication information

Scope and assumptions

The scope of the query provided below is as follows:

the admin is interested in understanding which users/devices are authenticating (accepted or rejected) and to built frequency statistics based on that
no VLAN tagging is used
only certificate-based authentication is used (no username-password-based authentication)

Target

Log Analytics or General Webhook

Message Filter configuration

Rule Engine

Log Level

Enabled

Success

False

Failed

False

Error

False

Authorization System

Log Level

Enabled

Requests

False

Success

True

Failed

True

Error

False

Proxy Authentication

Log Level

Enabled

Connections

False

Success

False

Failed

False

Error

False

Data Configuration

{
    "Decision": {{ data.get("Packet-Type") }},
    "Level": {{ data.level }},
    "IP": {{ data.get("Packet-Dst-Address") }},
    "Username": {{ data.get("User-Name") }},
    {% if data.get("TLS-OCSP-Cert-Valid") != None %}
        "OCSPStatus": {{ data.get("TLS-OCSP-Cert-Valid") }},
    {% endif %}
    {% if data.level == "warning" %}
      "FailReason": {{ data.get("Module-Failure-Message") }},
    {% endif %}
    "Datetime" : {{ data.Datetime }}
}

Example 2: Detailed authentication information

Scope and assumptions

The scope of the query provided below is as follows:

the admin is interested in understanding which users/devices are authenticating via certificate or username & password (accepted or rejected)
username and certificate details with OCSP response
SSID and used Access Point (MAC address)
RADIUSaaS Rule that was triggered, if applicable: assigned VLAN
correlation ID for further investigation

Target

Log Analytics or General Webhook

Message Filter Configuration

Rule Engine

Log Level

Enabled

Success

True

Failed

True

Error

False

Authorization System

Log Level

Enabled

Requests

False

Success

False

Failed

False

Error

False

Proxy Authentication

Log Level

Enabled

Connections

False

Success

False

Failed

False

Error

False

Data configuration

{
    "Decision": {{ data.get("Engine-Decision") }},
    "Datetime" : {{ data.Datetime }},
    "Level": {{ data.level }},
    "Authtype": {{ data.get("Authtype") }},
    "Client-MAC": {{ data.get("Client-MAC") }},
    "Username": {{ data.get("User-Name") }},
    "Applied-Rule": {{ data.get("Applied-Rule") }},
    "VLAN": {{ data.get("Assigned-VLAN", "No VLAN assigned") }},
    "Auth-Source-Type": {{ data.get("Auth-Source-Type") }},
    {% if data.get("Auth-Source-Type") == "WiFi" %}
        "SSID": {{ data.get("SSID") }},
        "AP-MAC": {{ data.get("AP-MAC") }},
    {% endif %}
    {% if data.get("Authtype") == "Certificate" %}
        "Certificate-CommonName": {{ data.get("Certificate-Details", {}).get("TLS-Cert-Common-Name") }},
        "Certificate-Serial": {{ data.get("Certificate-Details", {}).get("TLS-Client-Cert-Serial") }},
    {% endif %}
    {% if data.get("Verify-Result") != None %}
        "Verify-Result": {{ data.get("Verify-Result") }},
        "Verify-Status": {{ data.get("Verify-Status") }},
        "Verify-Type": {{ data.get("Verify-Type") }},
        "Verify-Description": {{ data.get("Verify-Description") }},
    {% endif %}
    {% if data.get("Reject-Description") != None %}
        "Reject-Description": {{ data.get("Reject-Description") }},
    {% endif %}
    "GKG-Correlation-Id": {{ data.get("GKG-Correlation-Id") }}
}

Example 3: General error notifications

Scope and assumptions

The scope of the query provided below is as follows:

the admin is interested in receiving pro-active notifications about errors on the RADIUSaaS platform for the operations team.

Target

Teams, or Log Analytics or General Webhook

Message Filter Configuration

Rule Engine

Log Level

Enabled

Success

False

Failed

False

Error

False

Authorization System

Log Level

Enabled

Requests

False

Success

False

Failed

False

Error

True

Proxy Authentication

Log Level

Enabled

Connections

False

Success

False

Failed

False

Error

True

Data configuration

Teams

The RADIUS system has issues!
Message: {{ data.get('message') }}

Raw data:
{{ data }}

Log Analytics or General Webhook

{
    "Message": {{ data.get("message") }},
    "Datetime" : {{ data.get("Datetime") }},
    "Level": {{ data.get("level") }},
    "Type": {{ data.get("type", "not applicable") }}
}

Last updated 1 year ago

Was this helpful?

Good afternoon

hashtagExample 1: General authentication information

hashtagScope and assumptions

hashtagTarget

hashtagMessage Filter configuration

hashtagRule Engine

hashtagAuthorization System

hashtagProxy Authentication

hashtagData Configuration

hashtagExample 2: Detailed authentication information

hashtagScope and assumptions

hashtagTarget

hashtagMessage Filter Configuration

hashtagRule Engine

hashtagAuthorization System

hashtagProxy Authentication

hashtagData configuration

hashtagExample 3: General error notifications

hashtagScope and assumptions

hashtagTarget

hashtagMessage Filter Configuration

hashtagRule Engine

hashtagAuthorization System

hashtagProxy Authentication

hashtagData configuration

hashtagTeams

hashtagLog Analytics or General Webhook

Example 1: General authentication information

Scope and assumptions

Target

Message Filter configuration

Rule Engine

Authorization System

Proxy Authentication

Data Configuration

Example 2: Detailed authentication information

Scope and assumptions

Target

Message Filter Configuration

Rule Engine

Authorization System

Proxy Authentication

Data configuration

Example 3: General error notifications

Scope and assumptions

Target

Message Filter Configuration

Rule Engine

Authorization System

Proxy Authentication

Data configuration

Teams

Log Analytics or General Webhook