Configuring receipt of FreeRADIUS events

You can configure the receipt of FreeRADIUS 3.0.26 events in the KUMA

SIEM system

SIEM system (Security Information and Event Management) is a solution for managing information and events in the organization security system.

Configuring event receiving consists of the following steps:

1. Configuring audit of FreeRADIUS events
2. Configuring a Syslog server to send FreeRADIUS events.
3. Creating a KUMA collector for receiving FreeRADIUS events.

   To receive FreeRADIUS events, in the Collector Installation Wizard, at the Event parsing step, select the [OOTB] FreeRADIUS syslog normalizer, and at the Transport step, select the tcp or udp connector type.

4. Installing KUMA collector for receiving FreeRADIUS events.
5. Verifying receipt of FreeRADIUS events in the KUMA collector.

   You can verify that the FreeRADIUS event source server is correctly configured in the Searching for related events section of the KUMA web interface.

Configuring audit of FreeRADIUS events

To configure event audit in the FreeRADIUS system:

1. Connect to the server where the FreeRADIUS system is installed using an account with administrative privileges.
2. Create a backup copy of the FreeRADIUS configuration file:

   sudo cp /etc/freeradius/3.0/radiusd.conf /etc/freeradius /3.0/radiusd.conf.bak

3. Open the FreeRADIUS configuration file for editing:

   sudo nano /etc/freeradius/3.0/radiusd.conf

4. In the 'log' section, edit the settings as follows:

   destination = syslog

   syslog_facility = daemon

   stripped_names = no

   auth = yes

   auth_badpass = yes

   auth_goodpass = yes

5. Save the configuration file.

FreeRADIUS event audit is configured.

Configuring a Syslog server to send FreeRADIUS events

The rsyslog service is used to transmit events from the FreeRADIUS server to the KUMA collector.

To configure the sending of events from the server where FreeRADIUS is installed to the collector:

1. In the /etc/rsyslog.d/ directory, create the FreeRADIUS-to-siem.conf file and add the following line to it:

   If $programname contains 'radiusd' then @<IP address of the collector>:<port of the collector>

   If you want to send events via TCP, the contents of the file must be as follows:

   If $programname contains 'radiusd' then @<IP address of the collector>:<port of the collector>

2. Create a backup copy of the /etc/rsyslog.conf file.
3. Add the following lines to the /etc/rsyslog.conf configuration file:

   $IncludeConfig /etc/FreeRADIUS-to-siem.conf

   $RepeatedMsgReduction off

4. Save your changes.
5. Restart the rsyslog service:

   sudo systemctl restart rsyslog.service

The export of events from the FreeRADIUS server to the KUMA collector is configured.