Getting Data In

Indexing FreeRadius Accounting Logs

mhassan24
Explorer

Hi,

I am indexing FreeRadius Accounting logs from /var/log/radius/radacct/ directory.
Below is an image of a sample log in Splunk:

alt text

Issues/Requests:

  1. The log splits before the TimeStamp = < >field in the log, creating two logs on Splunk instead of one (shown in a red box in the image)
  2. How can I change the host= on Splunk to map to field "Tunnel-Server-Auth-Id:0" in the log itself, so it can be searched via hostname?
  3. Is there a way for the log to have a single space between each field, instead of a new line?

Thanks! I'd love input on these and am absolutely open to reading through links/documentation anyone shares to find the answer.

0 Karma

medveleyenet
New Member

En el props.conf debes de poner el formato que desees poner

Translation: In the props.conf you have to put the format that you want to put

0 Karma

mhassan24
Explorer

Thanks! I do recognize where I might change it, along with transforms.conf, but I was hoping for a more definitive reading or guide to understand my particular problem.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

1- Looks like you just have to set up your props.conf so that the timestamp is ignored, or the "Fri..." is ignored as the date by defining what the data should look like, AND you should do the event breaker as well, which I would set to something like:

^\w\w\w\s\w\w\w\s\d\d\s\d\d:

2- props.conf and transforms.conf is the way that I would do it, but there may be an easier way. Anyone else want to chime in here?

3- That would be the way the log is created, or you might be able to do it again in props.conf and transforms.conf. I don't know how to make the radius log format be different.

if you want to know more about the props.conf and transforms.conf ways, comment here to let me know and I'll add some more, or others can help out with it too. 🙂 #1 should be easy enough to do if you have access. Do you have access to the props.conf on the indexers, or are you using cloud?

0 Karma

mhassan24
Explorer

Thanks cpetterborg!

Still stuck on 3) unfortunately. IF you stumble upon something, please do share!

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

From the FreeRadius Wiki it looks like you can't change the separated lines to a single line. Here is a web page that gives the information on what you CAN do:

FreeRadius Config/Logging

So it looks like you will have to accomplish that through the transforms and props configs. But, is that what you want to do? What would that accomplish? Are you just having problems with the event and parsing, because I would think that you could still do all that and just leave the data on multiple lines.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...