/usr/share/doc/freeradius/schemas/logstash/radius-mapping.sh is in freeradius 3.0.16+dfsg-1ubuntu3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 | #! /bin/sh
# Create an elasticsearch template mapping for RADIUS data
# Matthew Newton
# April 2015
# This should be run on an elasticsearch node. Alternatively,
# adjust the curl URI below.
# This version has been tested on elasticsearch 5.1.2
# The template will be called "radius", and will apply to all
# indices prefixed with "radius-" that contain data type "detail".
# As not all RADIUS attributes are known to begin with it has the
# following starting point that can be modified to suit the local
# configuration:
#
# Acct-Input- or Acct-Output- attributes are numbers;
# Acct-Session-Time is a number;
# Everything else is a keyword, which is a non-analysed string.
# Additionally, the supplied logstash config will try and extract
# MAC addresses, IP addresses and ports from the data. These are
# stored with suffixes on the respective attribute. For example,
# an attribute
#
# Called-Station-Id := "10.0.4.6[4500]"
#
# will be broken down into the following fields in elasticsearch:
#
# Called-Station-Id = "10.0.4.6[4500]"
# Called-Station-Id_ip = "10.0.4.6"
# Called-Station-Id_port = "4500"
#
# This mapping ensures that these have an appropriate data type.
curl -XPUT '127.0.0.1:9200/_template/radius' -d '
{
"template":"radius-*",
"order":0,
"mappings":{
"detail":{
"properties": {
"@timestamp": { "format" : "date_optional_time", "type" : "date" },
"@version": { "type" : "keyword" },
"message": { "type" : "text" },
"Acct-Session-Time": { "type" : "long" },
"offset": { "type" : "long" }
},
"dynamic_templates": [
{ "acct_io_numbers": {
"match_pattern": "regex",
"match": "^Acct-(Input|Output)-.*$",
"mapping": {
"type": "long"
}
}
},
{ "ipv4_address": {
"path_match": "*_ip",
"mapping": {
"type": "ip"
}
}
},
{ "network_port": {
"path_match": "*_port",
"mapping": {
"type": "integer"
}
}
},
{ "long_number": {
"path_match": "*_long",
"mapping": {
"type": "long"
}
}
},
{ "no_analyze_strings": {
"match": "*",
"mapping": {
"type": "keyword"
}
}
}
]
}
}
}'
|