Security

Reply
Contributor I

ClearPass Ingress Event Engine Testing

Ciao,

I'm trying to create a new simple Ingress Events Dictionary without success. I attached my example. I'd like map IP and userID coming from syslog but the event generates is blank.

Thanks

Guru Elite

Re: ClearPass Ingress Event Engine Testing

Did you build a dictionary and map it to the event source?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: ClearPass Ingress Event Engine Testing

Yes I did.

I started with a configuration worked (PAN FW sends threat log and CPPM uses CoA to change authorization). What I did has been:

- Modify the dictionary in order to match a new syslog event;

- Associated  the nre dictionary just created in Configuration--Network-Event Sources

- Generare new syslog event and testing.

 

For troubleshooting I checked .pcap and igesyslog.log the format of syslog event. It seem ok

I check my matching rule in dictionary with http://grokconstructor.appspot.com/do/match. It seem ok

What I've not able to do is troubleshooting regarding parsing of syslog.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: