Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

monitoring freeradius raddact files

ipteam
Engager
‎03-27-2018 12:20 PM

Hello,

I'd like to monitor raddact files. I have the following config in inputs.conf.:

[monitor:///var/log/freeradius/radacct]
recursive = true
sourcetype = syslog

The main problem is about line-breaking. I'd like to the whole event, but I get one event per line. How can i configure props.conf to see the whole event? It is possible recursive on the whole directory as well ?

Thanks,

Tags (1)
0 Karma
Reply

ipteam
Engager
‎03-28-2018 05:54 AM

Thaks for reply. Half of the problem already solved, now i parse the log correctly after including the stanza to props.conf.
The next question would about the props.conf configuration. I have a recursive file monitoring stanza in inputs.conf which continually reads the raddact log from different files in different directories. recursive=true in inputs.conf helped to monitor all the files, but i cannot transform the whole directory via props.conf. As i see i only can add a file or a directory but not recursively to the whole structure.

Here are the config :

inptuts.conf.:

[monitor:///var/log/freeradius/radacct]
recursive = true
sourcetype = syslog

props.conf.:

[source::/var/log/freeradius/radacct/]
SHOULD_LINEMERGE = true
REPORT-vievents = vievents_extractions
BREAK_ONLY_BEFORE = ^(Sun|Mon|Tue|Wed|Thu|Fri|Sat)

0 Karma
Reply

maciep
Champion
‎03-28-2018 02:12 PM

you can use "*" in the path represent a single directory or "..." to tell splunk to recursively search subdirectories. Of course the mode you wildcard, the more resources splunk will use to locate the logs to monitor.

This is from inputs.conf.spec

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will match
  foo/bar, foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files /foo/bar,
  /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.
0 Karma
Reply

ipteam
Engager
‎03-29-2018 12:24 AM

There was not any problem about inputs, but in props.conf. BTW i have found the solution. I made a custom sourcetype (radacct) which i can handle in props.conf, no need to recursive search in directories.

0 Karma
Reply

maciep
Champion
‎03-29-2018 05:38 AM

ok then I officially have no idea what you needed help with or what you were trying to accomplish, but I'm glad you figured it out 🙂

0 Karma
Reply

maciep
Champion
‎03-27-2018 03:42 PM

I'm not familiar with the freeradius, so I don't know what the logs look like. A few sample log entries would be helpful. We can help get the data parsed correctly but need to know what we're parsing.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...