Anyone using splunk and willing to share useful searches

Michael Schwartzkopff ms at
Wed Oct 21 15:19:12 CEST 2015

Am Mittwoch, 21. Oktober 2015, 14:14:25 schrieb Phil Mayers:
> On 20/10/2015 23:09, Nathan Ward wrote:
> > We write Auth, Acct start, and Acct stop to files with line log, and
> > ingest that. This way we limit the storage (and licensing!)
> Yeah, this is a big thing with splunk; the volume if you want to log
> every access-request/challenge/accept/reject can be prohibitive.
> We send a custom linelog to them designed to send the absolute minimum
> number of bytes; detail logs are probably way too verbose to be useful.
> The searches are probably way too site-specific to be useful sharing; it
> all depends what you're using splunk *for*
> > requirements, and we make it easier to process without writing splunk
> > filters and things. For our use case, interim updates are not
> > valuable in Splunk. We use transactions, starting with an acct stop
> The 3rd party who advised us was not so keen on transactions, claiming
> they had poor performance. We use them anyway - they're too useful to
> ignore, and we see no problems. But be cautious.
> > and ending with an acct start, keyed on the username to see how long
> > a user is down for. We have geocoding information available for all
> > our users so can plot users who are offline on a map, etc. etc.
> The geocoding is useful. We use it to identify suspicious activity on RAS.
> -
> List info/subscribe/unsubscribe? See

You may give logstash / elasticsearch / kibana a try. If you set up a log 
monitoring system from the scratch for RADIUS it might just fit you needs.

Mit freundlichen Grüßen,

Michael Schwartzkopff

[*] sys4 AG, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Freeradius-Users mailing list