Aruba Solution Exchange

ClearPass Splunk Syslog Export

Moderator
Moderator

ClearPass Splunk Syslog Export

 

Summary

This solution configures ClearPass to send Syslog output to an instance of Splunk. The solution will generate a ClearPass XML import file that does the following:

  • Adds a Splunk Server as a Syslog Target.
  • Adds the ClearPass Syslog Export Filters defined for the ClearPass Splunk App.

Platform Tested

ClearPass Policy Manager 6.3.2 and Splunk 6.1.1.

 

Background

ClearPass Policy Manager is an Access Management Solution used extensively in small, midrange and large enterprises. ClearPass provides the capability to send various kinds of Authentication, Authorization and Accounting events as RFC 5424 compliant Syslog messages to any Syslog receiver when endpoints authenticate to the network using ClearPass.

Splunk is a log management/SIEM solution that can receive Syslog messages from multiple sources. These messages are stored within Splunk and they can then be correlated, searched, analyzed and displayed using its graphical user interface.
Splunk provides a platform to run mini applications (called apps), customized for specific applications or products which send Syslogs to Splunk, providing a visualization of the Syslog data received by Splunk without requiring the user to run complex searches within Splunk.

These apps typically consist of a number of dashlets showing charts, tables and graphs, accessible via a menu structure contained within the app, based on pre-defined searches on the Syslog data that is received by Splunk.
One such app that has been developed by Aruba for visualizing a Syslog feed from ClearPass Policy Manager is the ClearPass Splunk App.

 

Configuration Notes

To integrate ClearPass with Splunk, you have to perform two major tasks, namely:

  • Configure ClearPass to send Syslogs to Splunk.  This solution will generate the necessary ClearPass configuration.
  • Install ClearPass Splunk App on Splunk, which will configure Splunk to receive Syslog data feed from ClearPass

Installing the ClearPass Splunk App on Splunk

Note: The steps described in this section were tested on Splunk 6.1.1. Installing the Clear Pass Splunk App consists of:

Uploading the ClearPass Splunk App package
  1. Navigate to Apps >> Manage Apps. Click on the Install app from file button.
  2. From the Upload app page, click on Choose File. Locate the file ClearPassOnSplunk_1.2.tar.gz (assuming the version of the ClearPass Splunk app is 1.2), on your computer and select it. Click the Upload button.
    • Note: If you are upgrading your ClearPass Splunk app to a later version, select the checkbox labeled Upgrade app.
    • Note: If the version of app is different from 1.2, locate and select the appropriate file.
  3. Restart Splunk to complete the install. Click on the Restart Splunk button.
  4. After restarting and logging in to Splunk again, the ClearPass Splunk App will appear in the Splunk Home page.  Verify that the Splunk Data inputs have been successfully imported from Settings >> Data >> Data Input >> TCP.  

Licensing

No special licenses are required.

 

References

https://arubapedia.arubanetworks.com/arubapedia/index.php/ClearPass_Splunk_Application​

Version history
Revision #:
2 of 2
Last update:
‎09-12-2014 02:59 PM
Updated by:
 
Labels (2)
Contributors
Comments
craigkleen

From a user experience, I wanted to make a couple notes after struggling with this Splunk app for a bit.

 

  1. It's important to remember that you will also have to reboot the Clearpass appliance to enable it to send to a different syslog server if you have one already set.
  2. Making the Clearpass server send directly to Splunk on TCP 1468 is important.  There's some "magic" with the way the sourcetype or something is configured that creates the "cphost" field.  We initially tried sending the Clearpass logs to a plain-old syslog server, then had the server monitor the log file and send the data to Splunk with the correct sourcetype specified int he command line.  However, that failed to create the "cphost" field, which broke all the graphs.

Requests for future improvement by Aruba would be to let the Syslog service be restartable via Clearpass GUI rather than requiring a full reboot, and to better define the "cphost" field so that someone could archive the logs via syslog directly, and then import to Splunk.

 

Regards and Happy Splunking.

 

tcary

Is there any update to this for CPPM 6.6? It appears the logging is slightly different, and I can't see authentications other than RADIUS.

 

Thanks.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.