topic Re: Indexing FreeRadius Accounting Logs in Getting Data In

Indexing FreeRadius Accounting Logs

mhassan24 — Tue, 28 Mar 2017 20:59:33 GMT

Hi,

I am indexing FreeRadius Accounting logs from /var/log/radius/radacct/ directory.
Below is an image of a sample log in Splunk:

Issues/Requests:

The log splits before the TimeStamp = < >field in the log, creating two logs on Splunk instead of one (shown in a red box in the image)
How can I change the host= on Splunk to map to field "Tunnel-Server-Auth-Id:0" in the log itself, so it can be searched via hostname?
Is there a way for the log to have a single space between each field, instead of a new line?

Thanks! I'd love input on these and am absolutely open to reading through links/documentation anyone shares to find the answer.

Re: Indexing FreeRadius Accounting Logs

cpetterborg — Tue, 28 Mar 2017 21:20:52 GMT

1- Looks like you just have to set up your props.conf so that the timestamp is ignored, or the "Fri..." is ignored as the date by defining what the data should look like, AND you should do the event breaker as well, which I would set to something like:

^\w\w\w\s\w\w\w\s\d\d\s\d\d:

2- props.conf and transforms.conf is the way that I would do it, but there may be an easier way. Anyone else want to chime in here?

3- That would be the way the log is created, or you might be able to do it again in props.conf and transforms.conf. I don't know how to make the radius log format be different.

if you want to know more about the props.conf and transforms.conf ways, comment here to let me know and I'll add some more, or others can help out with it too. 🙂 #1 should be easy enough to do if you have access. Do you have access to the props.conf on the indexers, or are you using cloud?

Re: Indexing FreeRadius Accounting Logs

medveleyenet — Tue, 28 Mar 2017 21:24:14 GMT

En el props.conf debes de poner el formato que desees poner

Translation: In the props.conf you have to put the format that you want to put

Re: Indexing FreeRadius Accounting Logs

mhassan24 — Wed, 29 Mar 2017 01:13:07 GMT

Thanks! I do recognize where I might change it, along with transforms.conf, but I was hoping for a more definitive reading or guide to understand my particular problem.

Re: Indexing FreeRadius Accounting Logs

mhassan24 — Thu, 30 Mar 2017 16:53:13 GMT

Thanks cpetterborg!

Still stuck on 3) unfortunately. IF you stumble upon something, please do share!

Re: Indexing FreeRadius Accounting Logs

cpetterborg — Thu, 30 Mar 2017 17:22:34 GMT

From the FreeRadius Wiki it looks like you can't change the separated lines to a single line. Here is a web page that gives the information on what you CAN do:

FreeRadius Config/Logging

So it looks like you will have to accomplish that through the transforms and props configs. But, is that what you want to do? What would that accomplish? Are you just having problems with the event and parsing, because I would think that you could still do all that and just leave the data on multiple lines.