Anyone using splunk and willing to share useful searches
Michael Schwartzkopff
ms at sys4.de
Wed Oct 21 15:19:12 CEST 2015
Am Mittwoch, 21. Oktober 2015, 14:14:25 schrieb Phil Mayers:
> On 20/10/2015 23:09, Nathan Ward wrote:
> > We write Auth, Acct start, and Acct stop to files with line log, and
> > ingest that. This way we limit the storage (and licensing!)
>
> Yeah, this is a big thing with splunk; the volume if you want to log
> every access-request/challenge/accept/reject can be prohibitive.
>
> We send a custom linelog to them designed to send the absolute minimum
> number of bytes; detail logs are probably way too verbose to be useful.
>
> The searches are probably way too site-specific to be useful sharing; it
> all depends what you're using splunk *for*
>
> > requirements, and we make it easier to process without writing splunk
> > filters and things. For our use case, interim updates are not
> > valuable in Splunk. We use transactions, starting with an acct stop
>
> The 3rd party who advised us was not so keen on transactions, claiming
> they had poor performance. We use them anyway - they're too useful to
> ignore, and we see no problems. But be cautious.
>
> > and ending with an acct start, keyed on the username to see how long
> > a user is down for. We have geocoding information available for all
> > our users so can plot users who are offline on a map, etc. etc.
>
> The geocoding is useful. We use it to identify suspicious activity on RAS.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
You may give logstash / elasticsearch / kibana a try. If you set up a log
monitoring system from the scratch for RADIUS it might just fit you needs.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151021/66576af5/attachment.sig>
More information about the Freeradius-Users
mailing list