Solved: How to parse Radius log files into splunk? What th...

johnward4 · ‎12-20-2017

Log entry example :

"MKEDC3","IAS",12/13/2017,16:40:19,1,"host/MKELT458.WNAD.NET","WNAD\MKELT458$","E2-55-6D-B8-BB-34:WN-intern3","08-11-96-7D-70-D0",,,,"10.1.231.13",0,0,"10.1.231.13","pun-ca-cap8",,,19,"CONNECT 0Mbps 802.11b",,,5,"WN-intern",0,"311 1 10.1.5.93 11/16/2017 14:20:48 383",,,,,,,,,"44C00079-00000000",,,,,,,,,,,,,,,,,,,,,,,,,"WN-intern",1,,,,

host= desktop-111 source=C:\Windows\System32\LogFiles\IN171213.log sourcetype = Radius

I'm looking for help creating props and transforms for to normalize the _raw data and automatically pull the field data for Radius accounting logs. Please help

anthonysomerset · ‎08-01-2018

So i got to this after doing my own research:

FYI - Field Definitions available here - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008

I had some issues with extracting timestamps from multiple fields which i solved with the help of the following Splunk Answers Question: https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html

you only need the following props entry then assign your sourcetype accordingly - if you use Heavy Forwarders then drop it on your heavy forwarder:

[windows_nps_ias]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = CSV
FIELD_NAMES = ComputerName,ServiceName,Record_Date,Record_Time,Packet_Type,User_Name,Fully_Qualified_Distinguished_Name,Called_Station_ID,Calling_Station_ID,Callback_Number,Framed_IP_Address,NAS_Identifier,NAS_IP_Address,NAS_Port,Client_Vendor,Client_IP_Address,Client_Friendly_Name,Event_Timestamp,Port_Limit,NAS_Port_Type,Connect_Info,Framed_Protocol,Service_Type,Authentication_Type,Policy_Name,Reason_Code,Class,Session_Timeout,Idle_Timeout,Termination_Action,EAP_Friendly_Name,Acct_Status_Type,Acct_Delay_Time,Acct_Input_Octets,Acct_Output_Octets,Acct_Session_Id,Acct_Authentic,Acct_Session_Time,Acct_Input_Packets,Acct_Output_Packets,Acct_Terminate_Cause,Acct_Multi_Ssn_ID,Acct_Link_Count,Acct_Interim_Interval,Tunnel_Type,Tunnel_Medium_Type,Tunnel_Client_Endpt,Tunnel_Server_Endpt,Acct_Tunnel_Conn,Tunnel_Pvt_Group_ID,Tunnel_Assignment_ID,Tunnel_Preference,MS_Acct_Auth_Type,MS_Acct_EAP_Type,MS_RAS_Version,MS_RAS_Vendor,MS_CHAP_Error,MS_CHAP_Domain,MS_MPPE_Encryption_Types,MS_MPPE_Encryption_Policy,Proxy_Policy_Name,Provider_Type,Provider_Name,Remote_Server_Address,MS_RAS_Client_Name,MS_RAS_Client_Version
TIME_FORMAT = %m/%d/%Y%n%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TIMESTAMP_FIELDS = Record_Date,Record_Time
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

View solution in original post

woody188 · ‎04-22-2022

Looks like this was included in the Windows TA now using sourcetype=windows_ias

sergiollg · ‎03-09-2023

Did this work for you? I have checked the Splunk_TA_windows Add-On and there is no any sourcetype called windows_ias.

How are you parsing Radius events?

sergiollg · ‎03-09-2023

This is the sourcetype you should use: WinEventLog:System:IAS

anthonysomerset · ‎08-01-2018

So i got to this after doing my own research:

FYI - Field Definitions available here - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008

I had some issues with extracting timestamps from multiple fields which i solved with the help of the following Splunk Answers Question: https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html

you only need the following props entry then assign your sourcetype accordingly - if you use Heavy Forwarders then drop it on your heavy forwarder:

[windows_nps_ias]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = CSV
FIELD_NAMES = ComputerName,ServiceName,Record_Date,Record_Time,Packet_Type,User_Name,Fully_Qualified_Distinguished_Name,Called_Station_ID,Calling_Station_ID,Callback_Number,Framed_IP_Address,NAS_Identifier,NAS_IP_Address,NAS_Port,Client_Vendor,Client_IP_Address,Client_Friendly_Name,Event_Timestamp,Port_Limit,NAS_Port_Type,Connect_Info,Framed_Protocol,Service_Type,Authentication_Type,Policy_Name,Reason_Code,Class,Session_Timeout,Idle_Timeout,Termination_Action,EAP_Friendly_Name,Acct_Status_Type,Acct_Delay_Time,Acct_Input_Octets,Acct_Output_Octets,Acct_Session_Id,Acct_Authentic,Acct_Session_Time,Acct_Input_Packets,Acct_Output_Packets,Acct_Terminate_Cause,Acct_Multi_Ssn_ID,Acct_Link_Count,Acct_Interim_Interval,Tunnel_Type,Tunnel_Medium_Type,Tunnel_Client_Endpt,Tunnel_Server_Endpt,Acct_Tunnel_Conn,Tunnel_Pvt_Group_ID,Tunnel_Assignment_ID,Tunnel_Preference,MS_Acct_Auth_Type,MS_Acct_EAP_Type,MS_RAS_Version,MS_RAS_Vendor,MS_CHAP_Error,MS_CHAP_Domain,MS_MPPE_Encryption_Types,MS_MPPE_Encryption_Policy,Proxy_Policy_Name,Provider_Type,Provider_Name,Remote_Server_Address,MS_RAS_Client_Name,MS_RAS_Client_Version
TIME_FORMAT = %m/%d/%Y%n%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TIMESTAMP_FIELDS = Record_Date,Record_Time
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

jwindley_splunk · ‎01-21-2019

Hi @anthonysomerset, don't suppose you made a CIM compliant app for this did you?

sudosplunk · ‎08-01-2018

Additionally, you can have a look at Splunk TA for Radius Authentication.

anthonysomerset · ‎08-01-2018

thats for RADIUS authentication to splunk - not for parsing logs from Windows NPS (RADIUS) into splunk 🙂

sudosplunk · ‎08-01-2018

That's right. My apologies! Thank you.

How to parse Radius log files into splunk? What the configuration required for props and transforms

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM