How-To: Export your RADIUS Logs to CloudWatch

EZRADIUS enables your security team to monitor critical user actions by pushing the information to your SIEM. In this page we will show you how to connect your RADIUS logs to CloudWatch.

Prerequisites

How To Export Your Cloud RADIUS Audit Logs To CloudWatch

How To Enable Log Export in EZRADIUS Portal

  1. Go to your EZRADIUS Portal.

  2. Click on Settings.

    EZRADIUS Cloud RADIUS portal Radius Authentication Overview dashboard with Settings option highlighted in navigation

  3. Scroll down to SIEM Settings and enable the Send Audit Logs to SIEM option.

    EZRADIUS Cloud RADIUS SIEM Settings panel with Send Audit Logs to SIEM checkbox highlighted in red

How To Configure CloudWatch Logs in the CloudWatch Portal

  1. Open your CloudWatch Portal in a new browser tab.

  2. In the top right corner, locate your AWS Region and make a note of it.

    CloudWatch region selection screenshot

  3. From the left-hand menu, under Setup, click on Settings.

    CloudWatch settings navigation screenshot

  4. Go to the Logs tab. In the API Keys section, click Create.

    CloudWatch Logs tab and API Keys section screenshot

  5. Choose your preferred API key expiration, then click Generate.

    CloudWatch API key generation screenshot

  6. After the key is generated, copy and save it immediately. You will not be able to view it again after leaving this page.

    CloudWatch API key save dialog screenshot

  7. Navigate to Log Management under Logs in the left-hand menu. Select the Log Group where you want to deliver your logs.

    CloudWatch log group selection screenshot

  8. Click the Actions dropdown, then select Edit bearer token authentication.

    CloudWatch bearer token authentication option screenshot

  9. When prompted, enable bearer token authentication by selecting Yes.

    CloudWatch enable bearer token authentication screenshot

  10. Confirm that bearer token authentication is enabled.

    CloudWatch bearer token authentication confirmation screenshot

  11. Identify and note the log stream where you want your logs delivered.

    CloudWatch log stream identification screenshot

How To Configure the CloudWatch SIEM in EZRADIUS Portal

  1. Now go back to the EZRADIUS Portal.

  2. Select CloudWatch as the SIEM Provider.

    Set CloudWatch as the SIEM in EZRADIUS

  3. Input the values that you copied from the CloudWatch portals. Then, click Test Connection. This will create a test log in your CloudWatch SIEM (please allow a few minutes for the log to show up in the CloudWatch portal).

    CloudWatch Paste Values and Test Connection

  4. If the connection test is successful, click Save changes

    EZRADIUS Settings Save Changes

  5. EZRADIUS will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZRADIUS will send.

How To Create Alerts in CloudWatch to Monitor Your Cloud RADIUS Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. To setup alerts in CloudWatch go to Actions -> Create metric filter within your log group. Here are some example filters to get you started:

{ $.source = "EZRadius" && $.sourcetype = "EZRadiusAdministrator" && $.event.Action = "SubscriptionUpdated" }