How-To: Export your RADIUS Logs to Azure Log Analytics and Azure Sentinel

EZRADIUS enables your security team to monitor critical user actions by pushing the information to your SIEM. In this page we will show you how to connect your RADIUS logs to Azure Log Analytics and Azure Sentinel.

Prerequisites

How to Grant Log Contributor Permissions to the EZRADIUS Application in Azure

To allow EZRADIUS to send logs to your Log Analytics and Azure Sentinel workspace, you need to grant the EZRADIUS application the following roles on the Resource Group containing your Log Analytics workspace:

  1. Monitoring Contributor
  2. Monitoring Metrics Publisher
  3. Log Analytics Contributor

This can be done manually in the Azure Portal or using the Azure CLI.

How to Grant Permissions using the Azure Portal

It’s easy to enable the required permissions using the Azure Portal:

  1. Navigate to the Azure Portal.

  2. Open the Log Analytics Workspace you want to connect to EZRADIUS. If you are using Azure Sentinel, open the Log Analytics workspace connected to your Sentinel instance.

  3. Click on Resource group to open the Resource Group containing your Log Analytics workspace.

    Select Resource Group of Log Analytics Workspace

  4. Click Access control (IAM) in the left menu.

    Select Access Control (IAM) in Resource Group

  5. Click + Add and Add role assignment.

    Select Add Role Assignment in Resource Group

  6. Search for Monitoring Contributor in the list of Azure roles. Select the role and click Next.

    Search for Monitoring Contributor in List of Azure Roles

  7. Click + Select members and search for EZRADIUS. Select the EZRADIUS application.

    Select the application

  8. Click Review + assign twice to grant the role to the EZRADIUS application.

    Click Review + Assign

  9. Repeat steps 1-8 for the Monitoring Metrics Publisher and Log Analytics Contributor roles.

How to Grant Permissions using the Azure CLI

The Azure CLI can also be used to enable the required permissions. Follow these steps:

  1. Open a terminal window on your device or navigate to the Azure Portal and open Azure Cloud Shell.

    Open Azure Cloud Shell

  2. Begin by getting the object ID of the service principal for the EZRADIUS application in your tenant:

    $objectId = az ad sp list --filter "appId eq '5c0e7b30-d0aa-456a-befb-df8c75e8467b'" --query "[].{id:id}" --output tsv

  3. Copy the Resource ID of the Resource Group containing your Log Analytics workspace. This can be found by going to the Resource Group in Azure, selecting Properties, and copying the Resource ID.

    Copy Resource Group ID

  4. Save the Resource ID as a variable for easier use:

    $resourceGroupId = "/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups/<YOUR-RESOURCE-GROUP-NAME>"

  5. Grant the Monitoring Contributor role to the EZRADIUS application:

    az role assignment create --scope "$resourceGroupId" --role "Monitoring Contributor" --assignee $objectId

  6. Grant the Monitoring Metrics Publisher role to the EZRADIUS application:

    az role assignment create --scope "$resourceGroupId" --role "Monitoring Metrics Publisher" --assignee $objectId

  7. Grant the Log Analytics Contributor role to the EZRADIUS application:

    az role assignment create --scope "$resourceGroupId" --role "Log Analytics Contributor" --assignee $objectId

How to Export your RADIUS Logs to Log Analytics and Azure Sentinel

Now that you have granted the necessary permissions to the EZRADIUS application, you can configure EZRADIUS to send your RADIUS logs to your Log Analytics and Azure Sentinel workspace:

How To Enable Log Export in EZRADIUS

  1. Navigate to your EZRADIUS portal.

  2. Click on Settings.

    EZRADIUS Settings

  3. Scroll to the bottom and enable the “Send Audit Logs to SIEM” option.

    Send Cloud Radius Logs to SIEM

How to Configure the Azure Sentinel Exporter in EZRADIUS

  1. Under SIEM Provider, select Sentinel.

  2. In another tab, navigate to the Azure Portal.

  3. Select the Log Analytics workspace connected to your Sentinel instance (or any Log Analytics workspace you want to use if you are not using Sentinel).

  4. Click on Properties.

    Azure Log Analytics for Sentinel Select Properties

  5. Copy the Resource ID.

    Azure Log Analytics for Sentinel Copy Resource ID

  6. Go back to the EZRADIUS tab and paste the Resource ID into the Workspace Resource ID field.

    SIEM Settings Workspace Resource ID

  7. Back in the Azure tab note the Location of the Log Analytics workspace.

    Azure Log Analytics for Sentinel Copy Location

  8. In EZRADIUS select the same location in the Location dropdown.

    SIEM Settings Enter Location

  9. Click the Create Connection button. This will create the necessary connection in your Resource Group to communicate with Log Analytics, and send a test message to ensure proper connection.

  10. Once the test succeeds, make sure to click Save changes to save your SIEM settings.

  11. Done! EZRADIUS will now send your security logs to your SIEM.

How to Create Dashboards Using your Cloud RADIUS Logs

Now that your EZRADIUS logs are flowing into EZRADIUS, check out how to create a dashboard for your RADIUS service.

Create RADIUS Dashboards

How To Create Alerts in Azure Sentinel to Monitor Your Cloud RADIUS Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Here is an example query to find all “NotAuthorized” actions in your EZRADIUS logs:

KeytosEZRadiusAdministrator_CL
| where Action == "NotAuthorized"