I have some RADIUS logs that I need to parse and send to a third party syslog server; however, I want to send the intact raw logs to the indexer. Is there a way to do this?
There are a number of different options depending at which stage you want to send to the 3rd party. Are the logs already configured to send to a Splunk forwarder of some kind? Is it collected via syslog-ng + written to a file, or just ingested via a tcp/udp input?
If you want to send data that already exists in splunk, check out this app to see if it'll help for search type output: https://splunkbase.splunk.com/app/1847/
If not that, one option is having the RADIUS server point at a virtual IP, and have the 3rd party load balancer mirror the traffic.
If you're already collecting this as syslog via syslog-ng or something similar: In your outputs.conf, you could configure data cloning. So ingest the data, and send it to multiple destinations. If this is on a heavy forwarder, you might have to configure indexAndForward=false globally, which might affect your other data. If you're just using a universal forwarder, you should be fine as it can't index the data. See the following, and look for the cloning section: http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Configureforwarderswithoutputs.confd
