All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse Radius log files into splunk? What the configuration required for props and transforms

johnward4
Communicator
‎12-20-2017 04:39 PM

Log entry example :

"MKEDC3","IAS",12/13/2017,16:40:19,1,"host/MKELT458.WNAD.NET","WNAD\MKELT458$","E2-55-6D-B8-BB-34:WN-intern3","08-11-96-7D-70-D0",,,,"10.1.231.13",0,0,"10.1.231.13","pun-ca-cap8",,,19,"CONNECT 0Mbps 802.11b",,,5,"WN-intern",0,"311 1 10.1.5.93 11/16/2017 14:20:48 383",,,,,,,,,"44C00079-00000000",,,,,,,,,,,,,,,,,,,,,,,,,"WN-intern",1,,,,

host= desktop-111 source=C:\Windows\System32\LogFiles\IN171213.log sourcetype = Radius

I'm looking for help creating props and transforms for to normalize the _raw data and automatically pull the field data for Radius accounting logs. Please help

Reply
1 Solution
Solved! Jump to solution
Solution

anthonysomerset
Path Finder
‎08-01-2018 02:26 AM

So i got to this after doing my own research:

FYI - Field Definitions available here - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008

I had some issues with extracting timestamps from multiple fields which i solved with the help of the following Splunk Answers Question: https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html

you only need the following props entry then assign your sourcetype accordingly - if you use Heavy Forwarders then drop it on your heavy forwarder:

[windows_nps_ias]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = CSV
FIELD_NAMES = ComputerName,ServiceName,Record_Date,Record_Time,Packet_Type,User_Name,Fully_Qualified_Distinguished_Name,Called_Station_ID,Calling_Station_ID,Callback_Number,Framed_IP_Address,NAS_Identifier,NAS_IP_Address,NAS_Port,Client_Vendor,Client_IP_Address,Client_Friendly_Name,Event_Timestamp,Port_Limit,NAS_Port_Type,Connect_Info,Framed_Protocol,Service_Type,Authentication_Type,Policy_Name,Reason_Code,Class,Session_Timeout,Idle_Timeout,Termination_Action,EAP_Friendly_Name,Acct_Status_Type,Acct_Delay_Time,Acct_Input_Octets,Acct_Output_Octets,Acct_Session_Id,Acct_Authentic,Acct_Session_Time,Acct_Input_Packets,Acct_Output_Packets,Acct_Terminate_Cause,Acct_Multi_Ssn_ID,Acct_Link_Count,Acct_Interim_Interval,Tunnel_Type,Tunnel_Medium_Type,Tunnel_Client_Endpt,Tunnel_Server_Endpt,Acct_Tunnel_Conn,Tunnel_Pvt_Group_ID,Tunnel_Assignment_ID,Tunnel_Preference,MS_Acct_Auth_Type,MS_Acct_EAP_Type,MS_RAS_Version,MS_RAS_Vendor,MS_CHAP_Error,MS_CHAP_Domain,MS_MPPE_Encryption_Types,MS_MPPE_Encryption_Policy,Proxy_Policy_Name,Provider_Type,Provider_Name,Remote_Server_Address,MS_RAS_Client_Name,MS_RAS_Client_Version
TIME_FORMAT = %m/%d/%Y%n%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TIMESTAMP_FIELDS = Record_Date,Record_Time
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

View solution in original post

Reply
Solved! Jump to solution

woody188
New Member
‎04-22-2022 11:58 AM

Looks like this was included in the Windows TA now using sourcetype=windows_ias

0 Karma
Reply
Solved! Jump to solution

sergiollg
Loves-to-Learn Lots
‎03-09-2023 04:47 AM

Did this work for you? I have checked the Splunk_TA_windows Add-On and there is no any sourcetype called windows_ias. 

How are you parsing Radius events?

0 Karma
Reply
Solved! Jump to solution

sergiollg
Loves-to-Learn Lots
‎03-09-2023 05:00 AM

This is the sourcetype you should use: WinEventLog:System:IAS

0 Karma
Reply
Solved! Jump to solution
Solution

anthonysomerset
Path Finder
‎08-01-2018 02:26 AM

So i got to this after doing my own research:

FYI - Field Definitions available here - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008

I had some issues with extracting timestamps from multiple fields which i solved with the help of the following Splunk Answers Question: https://answers.splunk.com/answers/305429/how-to-parse-date-and-time-in-different-columns-du.html

you only need the following props entry then assign your sourcetype accordingly - if you use Heavy Forwarders then drop it on your heavy forwarder:

[windows_nps_ias]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = CSV
FIELD_NAMES = ComputerName,ServiceName,Record_Date,Record_Time,Packet_Type,User_Name,Fully_Qualified_Distinguished_Name,Called_Station_ID,Calling_Station_ID,Callback_Number,Framed_IP_Address,NAS_Identifier,NAS_IP_Address,NAS_Port,Client_Vendor,Client_IP_Address,Client_Friendly_Name,Event_Timestamp,Port_Limit,NAS_Port_Type,Connect_Info,Framed_Protocol,Service_Type,Authentication_Type,Policy_Name,Reason_Code,Class,Session_Timeout,Idle_Timeout,Termination_Action,EAP_Friendly_Name,Acct_Status_Type,Acct_Delay_Time,Acct_Input_Octets,Acct_Output_Octets,Acct_Session_Id,Acct_Authentic,Acct_Session_Time,Acct_Input_Packets,Acct_Output_Packets,Acct_Terminate_Cause,Acct_Multi_Ssn_ID,Acct_Link_Count,Acct_Interim_Interval,Tunnel_Type,Tunnel_Medium_Type,Tunnel_Client_Endpt,Tunnel_Server_Endpt,Acct_Tunnel_Conn,Tunnel_Pvt_Group_ID,Tunnel_Assignment_ID,Tunnel_Preference,MS_Acct_Auth_Type,MS_Acct_EAP_Type,MS_RAS_Version,MS_RAS_Vendor,MS_CHAP_Error,MS_CHAP_Domain,MS_MPPE_Encryption_Types,MS_MPPE_Encryption_Policy,Proxy_Policy_Name,Provider_Type,Provider_Name,Remote_Server_Address,MS_RAS_Client_Name,MS_RAS_Client_Version
TIME_FORMAT = %m/%d/%Y%n%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TIMESTAMP_FIELDS = Record_Date,Record_Time
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
Reply
Solved! Jump to solution

jwindley_splunk
Splunk Employee
Splunk Employee
‎01-21-2019 08:15 AM

Hi @anthonysomerset, don't suppose you made a CIM compliant app for this did you?

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-01-2018 04:48 AM

Additionally, you can have a look at Splunk TA for Radius Authentication.

0 Karma
Reply
Solved! Jump to solution

anthonysomerset
Path Finder
‎08-01-2018 04:56 AM

thats for RADIUS authentication to splunk - not for parsing logs from Windows NPS (RADIUS) into splunk 🙂

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-01-2018 05:00 AM

That's right. My apologies! Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...