How-To: Export your RADIUS Logs to your SIEM

Introduction - How to Send your RADIUS Logs to your SIEM

EZRADIUS enables your security team to monitor critical user actions by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

Supported SIEM providers include:

• Azure Sentinel
• Splunk
• CrowdStrike Falcon LogScale

What Data is Exported to my SIEM?

Administrator Events from EZRADIUS Cloud RADIUS

Administrator events (found in the EZRadiusAdministrator table) are events triggered when an administrator performs an action on the EZRadius subscription such as adding users, removing users, or changing the subscription settings. These events are important to monitor since they can indicate a compromise to the subscription. Below are the events that are considered critical to monitor:

Policy Events from EZRADIUS Cloud RADIUS

When an administrator creates or modifies a policy, an event is triggered in the EZRadiusPolicy table. These events are important to monitor since they control access to your network and can indicate a compromise to the subscription.

Authentication Events from Cloud RADIUS

Every time a user authenticates to the RADIUS service, an event is triggered in the EZRadiusAuthentication table. You can monitor these events to detect abnormal behavior or unauthorized access to your network.

Accounting Events from Cloud RADIUS

In accordance with RFC2866 EZRADIUS records accounting information for each user session. You can monitor these events to detect abnormal behavior or unauthorized access to your network. Learn more about RADIUS accounting in the RADIUS Accounting Overview page.

SIEM Set Up Guides