我偶然发现了一个未知的布局,没有标题,也没有NPS 日志解释器也不IAS 日志查看器似乎可以理解。我的 Google 功夫已经耗尽,却找不到任何相关文档。
行如下:
server, "RAS", date, time, packet type?, username (sometimes has domain), username (always has domain), ip, ip, , ip, server, ip, numbers, ip, server, random number?, , 5, , 1, 2, 4/5, string, 0/68, string, empty/60, empty/1800, string, 1/2, , random number?, random number?, port?, empty/3, random/empty, random/empty, random/empty, empty/1, port?, empty/1, , emtpy/1, empty/1, ip, ip, , , , , , , string, 311, , hex string, number, number, policy?, 1, , , , hostname?, string
我觉得我之前偶然发现过这个问题,但到目前为止,我发现了 3 种处理 RRAS 日志的不同布局,但没有一种适合这些线路。
答案1
挖掘并找到了一个带有布局的旧 logstash conf 文件!
"ComputerName","ServiceName","RecordDate","RecordTime","PacketType","UserName","FQDN","CalledStationID","CallingStationID","CallbackNumber","FramedIPAddress","NASIdentifier","NASIPAddress","NASPort","ClientVendor","ClientIPAddress","ClientFriendlyName","EventTimestamp","PortLimit","NASPortType","ConnectInfo","FramedProtocol","ServiceType","AuthenticationType","PolicyName","ReasonCode","Class","SessionTimeout","IdleTimeout","TerminationAction","EAPFriendlyName","AcctStatusType","AcctDelayTime","AcctInputOctets","AcctOutputOctets","AcctSessionID","AcctAuthentic","AcctSessionTime","AcctInputPackets","AcctOutputPackets","AcctTerminateCause","AcctMultiSsnID","AcctLinkCount","AcctInterimInterval","TunnelType","TunnelMediumType","TunnelClientEndpt","TunnelServerEndpt","AcctTunnelConn","TunnelPvtGroupID","TunnelAssigntmentID","TunnelPreference","MSAcctAuthType","MSAcctEAPType","MSRASVersion","MSRASVendor","MSCHAPError","MSCHAPDomain","MSMPPEEncryptionTypes","MSMPPEEncryptionPolicy","ProxyPolicyName","ProviderType","ProviderName","RemoteServerAddress","MSRASClientName","MSRASClientVersion"
但如果有人能找到解释这一点的来源,我会非常感激!