Anyone using splunk and willing to share useful searches
p.mayers at imperial.ac.uk
Wed Oct 21 15:14:25 CEST 2015
On 20/10/2015 23:09, Nathan Ward wrote:
> We write Auth, Acct start, and Acct stop to files with line log, and
> ingest that. This way we limit the storage (and licensing!)
Yeah, this is a big thing with splunk; the volume if you want to log
every access-request/challenge/accept/reject can be prohibitive.
We send a custom linelog to them designed to send the absolute minimum
number of bytes; detail logs are probably way too verbose to be useful.
The searches are probably way too site-specific to be useful sharing; it
all depends what you're using splunk *for*
> requirements, and we make it easier to process without writing splunk
> filters and things. For our use case, interim updates are not
> valuable in Splunk. We use transactions, starting with an acct stop
The 3rd party who advised us was not so keen on transactions, claiming
they had poor performance. We use them anyway - they're too useful to
ignore, and we see no problems. But be cautious.
> and ending with an acct start, keyed on the username to see how long
> a user is down for. We have geocoding information available for all
> our users so can plot users who are offline on a map, etc. etc.
The geocoding is useful. We use it to identify suspicious activity on RAS.
More information about the Freeradius-Users