Yann Shukor
asked on
Parsing RSyslog entries
Hi
Is it possible to parse as you receive them RSyslog entries (Debian Jessie) ?
The message section of the received entries will resemble this:
As you can see the message contains the IP address of the user
- Is it possible to interrogate the remote (source) router to obtain corresponding the MAC address so as to also include it in the message ?
thanks
yann
Is it possible to parse as you receive them RSyslog entries (Debian Jessie) ?
The message section of the received entries will resemble this:
192.168.13.20 CONNECT www.gstatic.com:443 action=allow cache=MISS
- I'd like to strip off the last part " action=allow cache=MISS"As you can see the message contains the IP address of the user
- Is it possible to interrogate the remote (source) router to obtain corresponding the MAC address so as to also include it in the message ?
thanks
yann
ASKER
Thanks Arnold
Unfortunately this all the info I can get from the Mikrotik hotspot router
The objective is to respect the legal requirement of storing user Internet access information
The MAC address is a means of identifying the exact device used for the Internet access
Unfortunately this all the info I can get from the Mikrotik hotspot router
The objective is to respect the legal requirement of storing user Internet access information
The MAC address is a means of identifying the exact device used for the Internet access
MAC address, you may have to also record the DHCP allocations which is where you will have a MAC address to ip relationship.dates, times.
ASKER
Arnold
Yep, I can also currently receive such messages from the router, but I don't understand how I would go about combining the two messages - maybe I could delete the DHCP record once I collect the corresponding MAC address ?
The real issue for me is database size : my objective is to reduce the overall number of records, and make the reading of each record easier i.e. it would ultimately be simpler to read one line to obtain the required info rather than having to rummage through multiples records in order to piece things together
That's why I wondered whether it might be simpler to remotely query the router's ARP table instead
Yep, I can also currently receive such messages from the router, but I don't understand how I would go about combining the two messages - maybe I could delete the DHCP record once I collect the corresponding MAC address ?
The real issue for me is database size : my objective is to reduce the overall number of records, and make the reading of each record easier i.e. it would ultimately be simpler to read one line to obtain the required info rather than having to rummage through multiples records in order to piece things together
That's why I wondered whether it might be simpler to remotely query the router's ARP table instead
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Setting s rule within /etc/rsyslog.conf that would parse and do what you want as soon as the event is received.
Look at rsyslog use examples/script processing.
Unless the access s directly from the device, the MAC address might be of the last router encapsulating the packet.
I.e. A system behind a firewall presumably you want its MAC address. You actually might see the MAC address of the Internet facing router from which that packet was sent.
Requiring user with, squid helper that you could use to prompt the user for credentials, setting cookie, recording the ip, username and as long a request cones within X minutes auto allow, updating last seen to extend the window for another five minutes....
If no request came beyond the five minutes, a new request will delete the old record and will prompt the user for credentials.
Squid can be configured, log setting to include the authenticated user %u if not mistaken.