Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Occasional Contributor I

Syslog Export Interval

I'm trying to get external logging set up for our ClearPass 6.7.3 servers.  I've created the export filters, but no matter what I set the Syslog Export Interval to it only exports about every 15 minutes.  I must be missing something.  Can somebody point me in the right direction?

4 REPLIES
Highlighted

Re: Syslog Export Interval

I am not sure if things changed in 6.7, but in prior ClearPass releases, syslog updated every 5 minutes. It is not real-time, but a batch process that runs periodically.

At one time we were using syslog output to map username to ip address for bandwith management purposes and we determined that a 5 minute lag was permissible. We are no longer using syslog for that though.


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Occasional Contributor I

Re: Syslog Export Interval

Thanks Bruce.
Super Contributor I

Re: Syslog Export Interval

The 5min batching is annoying, but I worked around this with Splunk. Since most of the logs have a "timestamp" or "CppmAlert.Timestamp" field, you can extract those, then coalesce them into one field that you can then use for Splunk searches. (Excuse any inefficiencies with the regular expressions!)

search... | rex "CppmAlert.Timestamp=(?<CppmAlert_Timestamp>\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2})" | rex "timestamp=(?<timestamp>\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2})" | eval clearpass_time=coalesce(CppmAlert_Timestamp,timestamp) | table clearpass_time,_raw

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor I

Re: Syslog Export Interval

Thanks Ryan. That's a good idea, but not quite what I was hoping for.

Unfortunately, the ability to search logs in CPPM is pretty crude, so something like Splunk is required to make them searchable. Our logs are being exported every 15 minutes, and if we're troubleshooting that will be too long to wait to see if a given change had the desired effect.

I thought I'd try the community first, but I'm going to open a TAC case to see why the knob they provide, "syslog export interval", doesn't seem to do anything. If I learn anything useful I'll post it here.

Chuck
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: