https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/633875#M78680 <P>This is the sourcetype you should use:&nbsp;<STRONG>WinEventLog:System:IAS</STRONG></P> Thu, 09 Mar 2023 13:00:39 GMT sergiollg 2023-03-09T13:00:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351275#M42454 <P>Log entry example :</P> <P>"MKEDC3","IAS",12/13/2017,16:40:19,1,"host/MKELT458.WNAD.NET","WNAD\MKELT458$","E2-55-6D-B8-BB-34:WN-intern3","08-11-96-7D-70-D0",,,,"10.1.231.13",0,0,"10.1.231.13","pun-ca-cap8",,,19,"CONNECT 0Mbps 802.11b",,,5,"WN-intern",0,"311 1 10.1.5.93 11/16/2017 14:20:48 383",,,,,,,,,"44C00079-00000000",,,,,,,,,,,,,,,,,,,,,,,,,"WN-intern",1,,,,</P> <P>host= desktop-111 source=C:\Windows\System32\LogFiles\IN171213.log sourcetype = Radius</P> <P>I'm looking for help creating props and transforms for to normalize the _raw data and automatically pull the field data for Radius accounting logs. Please help</P> Thu, 21 Dec 2017 00:39:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351275#M42454 johnward4 2017-12-21T00:39:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351276#M42455 <P>So i got to this after doing my own research:</P> <P>FYI - Field Definitions available here - <A href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008</A></P> <P>I had some issues with extracting timestamps from multiple fields which i solved with the help of the following Splunk Answers Question: <A href="https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html">https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html</A></P> <P>you only need the following props entry then assign your sourcetype accordingly - if you use Heavy Forwarders then drop it on your heavy forwarder:</P> <PRE><CODE>[windows_nps_ias] SHOULD_LINEMERGE = false KV_MODE = NONE INDEXED_EXTRACTIONS = CSV FIELD_NAMES = ComputerName,ServiceName,Record_Date,Record_Time,Packet_Type,User_Name,Fully_Qualified_Distinguished_Name,Called_Station_ID,Calling_Station_ID,Callback_Number,Framed_IP_Address,NAS_Identifier,NAS_IP_Address,NAS_Port,Client_Vendor,Client_IP_Address,Client_Friendly_Name,Event_Timestamp,Port_Limit,NAS_Port_Type,Connect_Info,Framed_Protocol,Service_Type,Authentication_Type,Policy_Name,Reason_Code,Class,Session_Timeout,Idle_Timeout,Termination_Action,EAP_Friendly_Name,Acct_Status_Type,Acct_Delay_Time,Acct_Input_Octets,Acct_Output_Octets,Acct_Session_Id,Acct_Authentic,Acct_Session_Time,Acct_Input_Packets,Acct_Output_Packets,Acct_Terminate_Cause,Acct_Multi_Ssn_ID,Acct_Link_Count,Acct_Interim_Interval,Tunnel_Type,Tunnel_Medium_Type,Tunnel_Client_Endpt,Tunnel_Server_Endpt,Acct_Tunnel_Conn,Tunnel_Pvt_Group_ID,Tunnel_Assignment_ID,Tunnel_Preference,MS_Acct_Auth_Type,MS_Acct_EAP_Type,MS_RAS_Version,MS_RAS_Vendor,MS_CHAP_Error,MS_CHAP_Domain,MS_MPPE_Encryption_Types,MS_MPPE_Encryption_Policy,Proxy_Policy_Name,Provider_Type,Provider_Name,Remote_Server_Address,MS_RAS_Client_Name,MS_RAS_Client_Version TIME_FORMAT = %m/%d/%Y%n%H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 20 TIMESTAMP_FIELDS = Record_Date,Record_Time DATETIME_CONFIG = NO_BINARY_CHECK = true disabled = false pulldown_type = true </CODE></PRE> Wed, 01 Aug 2018 09:26:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351276#M42455 anthonysomerset 2018-08-01T09:26:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351277#M42456 <P>Additionally, you can have a look at <A href="https://splunkbase.splunk.com/app/981/#/details">Splunk TA for Radius Authentication</A>. </P> Wed, 01 Aug 2018 11:48:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351277#M42456 sudosplunk 2018-08-01T11:48:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351278#M42457 <P>thats for RADIUS authentication to splunk - not for parsing logs from Windows NPS (RADIUS) into splunk <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 01 Aug 2018 11:56:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351278#M42457 anthonysomerset 2018-08-01T11:56:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351279#M42458 <P>That's right. My apologies! Thank you.</P> Wed, 01 Aug 2018 12:00:15 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351279#M42458 sudosplunk 2018-08-01T12:00:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351280#M42459 <P>Hi @anthonysomerset, don't suppose you made a CIM compliant app for this did you?</P> Mon, 21 Jan 2019 16:15:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/351280#M42459 jwindley_splunk 2019-01-21T16:15:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/594959#M76677 <P>Looks like this was included in the Windows TA now using&nbsp;sourcetype=windows_ias</P> Fri, 22 Apr 2022 18:58:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/594959#M76677 woody188 2022-04-22T18:58:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/633874#M78679 <P>Did this work for you? I have checked the&nbsp;Splunk_TA_windows Add-On and there is no any sourcetype called windows_ias.&nbsp;</P><P>How are you parsing Radius events?</P> Thu, 09 Mar 2023 12:47:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/633874#M78679 sergiollg 2023-03-09T12:47:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/633875#M78680 <P>This is the sourcetype you should use:&nbsp;<STRONG>WinEventLog:System:IAS</STRONG></P> Thu, 09 Mar 2023 13:00:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-Radius-log-files-into-splunk-What-the-configuration/m-p/633875#M78680 sergiollg 2023-03-09T13:00:39Z