All Apps and Add-ons

How to parse Radius log files into splunk? What the configuration required for props and transforms

johnward4
Communicator

Log entry example :

"MKEDC3","IAS",12/13/2017,16:40:19,1,"host/MKELT458.WNAD.NET","WNAD\MKELT458$","E2-55-6D-B8-BB-34:WN-intern3","08-11-96-7D-70-D0",,,,"10.1.231.13",0,0,"10.1.231.13","pun-ca-cap8",,,19,"CONNECT 0Mbps 802.11b",,,5,"WN-intern",0,"311 1 10.1.5.93 11/16/2017 14:20:48 383",,,,,,,,,"44C00079-00000000",,,,,,,,,,,,,,,,,,,,,,,,,"WN-intern",1,,,,

host= desktop-111 source=C:\Windows\System32\LogFiles\IN171213.log sourcetype = Radius

I'm looking for help creating props and transforms for to normalize the _raw data and automatically pull the field data for Radius accounting logs. Please help

1 Solution

anthonysomerset
Path Finder

So i got to this after doing my own research:

FYI - Field Definitions available here - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008

I had some issues with extracting timestamps from multiple fields which i solved with the help of the following Splunk Answers Question: https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html

you only need the following props entry then assign your sourcetype accordingly - if you use Heavy Forwarders then drop it on your heavy forwarder:

[windows_nps_ias]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = CSV
FIELD_NAMES = ComputerName,ServiceName,Record_Date,Record_Time,Packet_Type,User_Name,Fully_Qualified_Distinguished_Name,Called_Station_ID,Calling_Station_ID,Callback_Number,Framed_IP_Address,NAS_Identifier,NAS_IP_Address,NAS_Port,Client_Vendor,Client_IP_Address,Client_Friendly_Name,Event_Timestamp,Port_Limit,NAS_Port_Type,Connect_Info,Framed_Protocol,Service_Type,Authentication_Type,Policy_Name,Reason_Code,Class,Session_Timeout,Idle_Timeout,Termination_Action,EAP_Friendly_Name,Acct_Status_Type,Acct_Delay_Time,Acct_Input_Octets,Acct_Output_Octets,Acct_Session_Id,Acct_Authentic,Acct_Session_Time,Acct_Input_Packets,Acct_Output_Packets,Acct_Terminate_Cause,Acct_Multi_Ssn_ID,Acct_Link_Count,Acct_Interim_Interval,Tunnel_Type,Tunnel_Medium_Type,Tunnel_Client_Endpt,Tunnel_Server_Endpt,Acct_Tunnel_Conn,Tunnel_Pvt_Group_ID,Tunnel_Assignment_ID,Tunnel_Preference,MS_Acct_Auth_Type,MS_Acct_EAP_Type,MS_RAS_Version,MS_RAS_Vendor,MS_CHAP_Error,MS_CHAP_Domain,MS_MPPE_Encryption_Types,MS_MPPE_Encryption_Policy,Proxy_Policy_Name,Provider_Type,Provider_Name,Remote_Server_Address,MS_RAS_Client_Name,MS_RAS_Client_Version
TIME_FORMAT = %m/%d/%Y%n%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TIMESTAMP_FIELDS = Record_Date,Record_Time
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

View solution in original post

woody188
New Member

Looks like this was included in the Windows TA now using sourcetype=windows_ias

0 Karma

sergiollg
Loves-to-Learn Lots

Did this work for you? I have checked the Splunk_TA_windows Add-On and there is no any sourcetype called windows_ias. 

How are you parsing Radius events?

0 Karma

sergiollg
Loves-to-Learn Lots

This is the sourcetype you should use: WinEventLog:System:IAS

0 Karma

anthonysomerset
Path Finder

So i got to this after doing my own research:

FYI - Field Definitions available here - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008

I had some issues with extracting timestamps from multiple fields which i solved with the help of the following Splunk Answers Question: https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html

you only need the following props entry then assign your sourcetype accordingly - if you use Heavy Forwarders then drop it on your heavy forwarder:

[windows_nps_ias]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = CSV
FIELD_NAMES = ComputerName,ServiceName,Record_Date,Record_Time,Packet_Type,User_Name,Fully_Qualified_Distinguished_Name,Called_Station_ID,Calling_Station_ID,Callback_Number,Framed_IP_Address,NAS_Identifier,NAS_IP_Address,NAS_Port,Client_Vendor,Client_IP_Address,Client_Friendly_Name,Event_Timestamp,Port_Limit,NAS_Port_Type,Connect_Info,Framed_Protocol,Service_Type,Authentication_Type,Policy_Name,Reason_Code,Class,Session_Timeout,Idle_Timeout,Termination_Action,EAP_Friendly_Name,Acct_Status_Type,Acct_Delay_Time,Acct_Input_Octets,Acct_Output_Octets,Acct_Session_Id,Acct_Authentic,Acct_Session_Time,Acct_Input_Packets,Acct_Output_Packets,Acct_Terminate_Cause,Acct_Multi_Ssn_ID,Acct_Link_Count,Acct_Interim_Interval,Tunnel_Type,Tunnel_Medium_Type,Tunnel_Client_Endpt,Tunnel_Server_Endpt,Acct_Tunnel_Conn,Tunnel_Pvt_Group_ID,Tunnel_Assignment_ID,Tunnel_Preference,MS_Acct_Auth_Type,MS_Acct_EAP_Type,MS_RAS_Version,MS_RAS_Vendor,MS_CHAP_Error,MS_CHAP_Domain,MS_MPPE_Encryption_Types,MS_MPPE_Encryption_Policy,Proxy_Policy_Name,Provider_Type,Provider_Name,Remote_Server_Address,MS_RAS_Client_Name,MS_RAS_Client_Version
TIME_FORMAT = %m/%d/%Y%n%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TIMESTAMP_FIELDS = Record_Date,Record_Time
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

jwindley_splunk
Splunk Employee
Splunk Employee

Hi @anthonysomerset, don't suppose you made a CIM compliant app for this did you?

0 Karma

sudosplunk
Motivator

Additionally, you can have a look at Splunk TA for Radius Authentication.

0 Karma

anthonysomerset
Path Finder

thats for RADIUS authentication to splunk - not for parsing logs from Windows NPS (RADIUS) into splunk 🙂

0 Karma

sudosplunk
Motivator

That's right. My apologies! Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...