Getting Data In

How to configure Splunk to monitor Border Network Gateway (BNG) accounting traffic?

vincenteous
Communicator

Hello Everyone,

Actually, I don't know if this question is actually valid to be asked here or not. So, I'm going to give it a shot here.
I have a requirement to monitor Border Network Gateway (BNG)'s accounting traffic using Splunk. The data input seems to be quite straightforward with the usage of UDP port 1813 to send the traffic. But the problem is, to throw the traffic into Splunk, the BNG has to share a secret key just like when we are trying to throw the traffic to a RADIUS server. Below is the sample command from BNG side:

radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

At Splunk side, what should be configured aside from inputs.conf to receive the traffic? Is there any alternative way if this were not possible?

Thanks in advance

0 Karma
1 Solution

muebel
SplunkTrust
SplunkTrust

Hi vincenteous, I believe that you will want to not directly forward the authentication events to Splunk itself, but instead setup a radius server to log the authentication events locally, and then use the splunk forwarder to input those events like any other file monitor input. In this way you don't have to worry about the shared secret key from the splunk perspective.

Let me know if this works out 😄

View solution in original post

muebel
SplunkTrust
SplunkTrust

Hi vincenteous, I believe that you will want to not directly forward the authentication events to Splunk itself, but instead setup a radius server to log the authentication events locally, and then use the splunk forwarder to input those events like any other file monitor input. In this way you don't have to worry about the shared secret key from the splunk perspective.

Let me know if this works out 😄

vincenteous
Communicator

I guess this is the best which I can do. Thanks muebel for the answer

Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...