USM Anywhere™


When you configure FreeRADIUS integration to send log data to USM Anywhere, you can use the FreeRADIUS plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor FreeRADIUS
Device type Network access control
Connection type syslog
Vendor link

Integrating FreeRADIUS

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To configure FreeRADIUS to send log data over syslog to USM Anywhere

  1. Log in to the system hosting FreeRADIUS.
  2. Edit the /etc/freeradius/radius.conf file to match the following:

    logdir = syslog

    log_destination = syslog


    log {

    destination = syslog

    syslog_facility = daemon

    stripped_names = no

    auth = yes

    auth_badpass = no

    auth_goodpass = no


  3. Edit the /etc/syslog.conf file to match the following:

    # .=notice logs authentication messages (L_AUTH).

    # <facility_name>.=notice @<IP_address_of_USM_Anywhere_Sensor>

    # .=err logs module errors for FreeRADIUS.

    # <facility_name>.=err @<IP_address_of_USM_Anywhere_Sensor>

    # .* logs messages to the same target.

    # <facility_name>.* @<IP_address_of_USM_Anywhere_Sensor>


    facility_name = any facility of your choice, for example, local1

  4. To configure a log option, remove the pound sign from one of the active lines containing an anpersand (@).

    The configuration should load automatically.

  5. If the configuration does not load automatically, restart the syslog daemon.

    The method to restart the daemon depends on the distribution in use:

    OS Distribution Daemon Restart Command
    RedHat service syslog restart
    Debian/Ubuntu /etc/init.d/syslog restart
    FreeBSD /etc/rc.d/syslogd restart
  6. Add the following options to the FreeRADIUS startup script:

    -l syslog

    -g <facility_name>

  7. Restart FreeRADIUS.

Plugin Enablement

The FreeRADIUS plugin automatically processes all messages whose syslog tag matches the value radiusd.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • audit_reason

  • customfield_0

  • customfield_1

  • customfield_2

  • customfield_4

  • customheader_0

  • customheader_1

  • customheader_2

  • customheader_4

  • event_description

  • event_name

  • event_outcome

  • file_name

  • highlight_fields

  • plugin_device

  • plugin_rule

  • rep_device_hostname

  • source_address

  • source_hostname

  • source_mac

  • source_port

  • source_username

  • source_vhost

  • transient

  • transport_protocol


For troubleshooting, refer to the vendor documentation: