Splunk Stream

Installation and Configuration Manual

Authentication

Splunk App for Stream supports capture of these Authentication protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

DIAMETER

DIAMETER Protocol

Name Description Term
bytes The total number of bytes transferred. flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds that it took to complete a flow event, from the end user perspective flow.time-taken
transport Transport level protocol flow.transport
acct_input_octets Indicates how many octets were received from the port over the course of the provided service diameter.acct-input-octets
acct_multi_session_id Link between multiple accounting sessions diameter.acct-multi-session-id
acct_output_octets Indicates how many octets were sent to the port in the course of delivering the service diameter.acct-output-octets
acct_record_number Unique identifier for one record within a session diameter.acct-record-number
acct_record_type Record type diameter.acct-record-type
acct_session_id Accounting session ID diameter.acct-session-id
acct_sub_session_id Sub-session identifier diameter.acct-sub-session-id
application_id Identifies for which application the message is applicable diameter.application-id
auth_request_type Requested authentication type diameter.auth-request-type
called_station_id The phone number that the user called using Dialed Number Identification (DNIS) or similar technology diameter.called-station-id
calling_station_id Client ID diameter.calling-station-id
command_code Command associated with the Diameter request diameter.command-code
command_flags Bitfield that defines some attributes of a command on one byte as follows: [RPE.....] ('R'equest/answer, 'P'roxiable, 'E'rror) diameter.command-flags
destination_host Destination Diameter host for the current message diameter.destination-host
end_to_end_id Used to detect duplicate messages diameter.end-to-end-id
framed_ip IP address diameter.framed-ip
hop_by_hop_id Used to match Diameter request and reply messages diameter.hop-by-hop-id
login User's login string diameter.login
nas_id Unique identifier of NAS originating access request diameter.nas-id
nas_ip IP address of of NAS originating access request diameter.nas-ip
nas_port Physical port number of the user on the NAS diameter.nas-port
nas_port_id Identifies the NAS diameter.nas-port-id
nas_port_type Indicates the type of physical port NAS is using to authenticate the user diameter.nas-port-type
origin_host Source Diameter host for the current message diameter.origin-host
result_code Indicates whether a particular Diameter request was completed successfully or not diameter.result-code
session_id Uniquely identifies the current user session diameter.session-id
terminate_cause Indicates how the session was terminated diameter.terminate-cause

LDAP

Lightweight Directory Access Protocol RFC 1777

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
assertion_value Filter expression second operand, which is an assertion value ldap.assertion-value
assertion_description Filter expression first operand, which is an attribute description ldap.attribute-description
contains_sasl Indicates whether the authentication is done using SASL mechanism ldap.contains-sasl
hostname Hostname extracted from a logon response to a CLDAP searchRequest ldap.hostname
message_id Message identification ldap.message-id
message_type Message type ldap.message-type
elements LDAP element; map containing name-value pairs with nested elements ldap.elements

RADIUS

Remote Authentication Dial In User Service RFC 2865

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport level protocol flow.transport
id Packet Identifier radius.id
code Radius message code radius.code
status Status radius.status
login User login string radius.login
login_ipv6_host Indicates the system with which to connect the user radius.login-ipv6-host
session_timeout Maximum duration of session in seconds radius.session-timeout
idle_timeout Maximum idle duration of session in seconds radius.idle-timeout
nas_id Unique identifier of NAS originating access request radius.nas-id
nas_ip IP address of of NAS originating access request radius.nas-ip
nas_ipv6 IPV6 address of of NAS originating access request radius.nas-ipv6
nas_port Physical port number of the user on the NAS radius.nas-port
nas_port_id Identifies the NAS radius.nas-port-id
nas_port_type The type of physical port NAS is using to authenticate the user radius.nas-port-type
start_time The beginning of the user service radius.start-time
stop_time The end of the user service radius.stop-time
terminate_cause How the session was terminated radius.terminate-cause
framed_ip The IP address to be configured for the user radius.framed-ip
framed_ipv6_route The routing information to be configured for the user on the NAS radius.framed-ipv6-route
framed_ipv6_pool The name of an assigned pool that should be used to assign an IPv6 prefix for the user radius.framed-ipv6-pool
callback_number The dialing string to be used for callback radius.callback-number
called_station_id The phone number that the user called radius.called-station-id
vendor_id The SMI Network Management Private Enterprise Code of the Vendor radius.vendor-id
acct_session_id The accounting session id radius.account-session-id
sgsn_address The IP address of the SGSN radius.sgsn-ip
sgsn_mcc_mnc The SGSN MCC and MNC radius.sgsn-mcc
Last modified on 03 March, 2022
Supported protocols   Database

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters