A customer has Microsoft Radius server and they need to be able to search on the mac address.

Unfortunately all other systems use a format like this: 00:AA:00:12:34:56, whereas Microsoft radius logs 00-AA-00-12-34-56.


The customer used WMI connector. We collected a dump file and the logs "seem" to come through event viewer under security, i.e. Microsoft-Windows-Security-Auditing.

Unfortunately we don't have an official collector for the MS radius traffic.


Customer used Universal Event Collector instead, which has shortcomings...it seems to parse then again....the Collector will simply copy its input to the Sentinel "Message" field where it can be viewed, searched, and analyzed with the usual tools, but will not have the benefits of fully-parsed relational data.
This Collector does make a best-effort attempt to parse data that it receives; for example, it will attempt to recognize standard RFC3164 syslog headers and output from common applications like 'sshd'.

Please create Microsoft Radius collector for this kind of traffic to be parsed correctly?

Thanks...

by: Henk T. | over a year ago | Other