Anyone using splunk and willing to share useful searches
We use splunk here at the university and I am just starting to get into it. Is there anyone out there that has some stuff set up and would be willing to share the searches and stuff you use? ------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438
On 21/10/2015, at 06:38, Walter Reynolds <waltr@umich.edu> wrote:
We use splunk here at the university and I am just starting to get into it. Is there anyone out there that has some stuff set up and would be willing to share the searches and stuff you use?
I use splunk extensively, though not over detail files. We write Auth, Acct start, and Acct stop to files with line log, and ingest that. This way we limit the storage (and licensing!) requirements, and we make it easier to process without writing splunk filters and things. For our use case, interim updates are not valuable in Splunk. We use transactions, starting with an acct stop and ending with an acct start, keyed on the username to see how long a user is down for. We have geocoding information available for all our users so can plot users who are offline on a map, etc. etc. We also capture accounting on and accounting off and mix that in so we don’t have transactions open forever if a NAS blows up, etc. etc. I wouldn’t use it for accounting, but it’s great for bulk analysis and generating alerts and so on. Of course, splunk also looks at our radius.log and normal syslog stuff, though this isn’t anything special. -- Nathan Ward
On 20/10/2015 23:09, Nathan Ward wrote:
We write Auth, Acct start, and Acct stop to files with line log, and ingest that. This way we limit the storage (and licensing!)
Yeah, this is a big thing with splunk; the volume if you want to log every access-request/challenge/accept/reject can be prohibitive. We send a custom linelog to them designed to send the absolute minimum number of bytes; detail logs are probably way too verbose to be useful. The searches are probably way too site-specific to be useful sharing; it all depends what you're using splunk *for*
requirements, and we make it easier to process without writing splunk filters and things. For our use case, interim updates are not valuable in Splunk. We use transactions, starting with an acct stop
The 3rd party who advised us was not so keen on transactions, claiming they had poor performance. We use them anyway - they're too useful to ignore, and we see no problems. But be cautious.
and ending with an acct start, keyed on the username to see how long a user is down for. We have geocoding information available for all our users so can plot users who are offline on a map, etc. etc.
The geocoding is useful. We use it to identify suspicious activity on RAS.
Am Mittwoch, 21. Oktober 2015, 14:14:25 schrieb Phil Mayers:
On 20/10/2015 23:09, Nathan Ward wrote:
We write Auth, Acct start, and Acct stop to files with line log, and ingest that. This way we limit the storage (and licensing!)
Yeah, this is a big thing with splunk; the volume if you want to log every access-request/challenge/accept/reject can be prohibitive.
We send a custom linelog to them designed to send the absolute minimum number of bytes; detail logs are probably way too verbose to be useful.
The searches are probably way too site-specific to be useful sharing; it all depends what you're using splunk *for*
requirements, and we make it easier to process without writing splunk filters and things. For our use case, interim updates are not valuable in Splunk. We use transactions, starting with an acct stop
The 3rd party who advised us was not so keen on transactions, claiming they had poor performance. We use them anyway - they're too useful to ignore, and we see no problems. But be cautious.
and ending with an acct start, keyed on the username to see how long a user is down for. We have geocoding information available for all our users so can plot users who are offline on a map, etc. etc.
The geocoding is useful. We use it to identify suspicious activity on RAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You may give logstash / elasticsearch / kibana a try. If you set up a log monitoring system from the scratch for RADIUS it might just fit you needs. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Wed, Oct 21, 2015 at 03:19:12PM +0200, Michael Schwartzkopff wrote:
You may give logstash / elasticsearch / kibana a try. If you set up a log monitoring system from the scratch for RADIUS it might just fit you needs.
Cue reminder about the logstash/elasticsearch config files in the FreeRADIUS source: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/doc/schemas/logs... I hope to have a basic Kibana dashboard there soon as well. Open to suggestions for improvement (e.g. I didn't geocode any of the IP addresses because it didn't seem worthwhile for our own wireless network, but now that I'm developing RADIUS for a VPN it makes more sense so I'll probably add that). And no licencing fees - we're trying to throw *everything* in it. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (5)
-
Matthew Newton -
Michael Schwartzkopff -
Nathan Ward -
Phil Mayers -
Walter Reynolds