Security

I've followed the User Guide by creating a new export destination server and then creating several syslog export filters.  I made sure to select the right syslog export destination as well as the subscriber servers I want to send logs from.  The destination server does not appear to be receiving anything despite me seeing several accounting messages on CPPM's access tracker.

I ran a packet capture on the port leading to the CPPM server in question that is authenticating users, but I don't see any traffic coming out of it destined for the export destination.  I've specifically create several RADIUS/TACACS+ policies and included all the available options under the filter, so I'm not sure what is wrong at this point.

All of my syslog export filters are shown as Enabled.

Hi Patrick,

We need to check syslogs to see why Clearpass is not able to export the logs to exteranl server, for this we need CLI access.

If you are using any ASCII characters in password, try reset the cluster password once without any special characters from Administration » Server Manager » Server Configuration  > Change Cluster password and check the status, if that does not reslove, please open TAC ticket to troubleshoot the issue further.

Regards,
Pavan

I've created some dump logs to review and I can't seem to find a reason why this is happening.  I was able to collect them from the web UI by going to Configuration -> Server manager -> Server configuration, then clicking the radio button for the server I wanted logs from and clicking Collect Logs.

What log file in the .tar.gz package contains the information on why this would be failing?

did you end up resolving this? i'm experincing similar issue with 6.6.8

Same problem here.  It was working and then just stopped overnight for no apparent reason.  I haven't been able to get the logs going since.

Hi Patrick,

did you ever resolve this problem? I followed the same procedure and I too can not see any traffice from the CPPM

Have you configured syslog targest and syslog export filter, if yes does port is allowed between CPPM and syslogn targets ?

You can take packet capture from Administration » Server Manager » Server Configuration and see if anything is  blocking the traffice.

Hello Pavan,

Thank you for the quick response. I did all the above and have allowed udp 514 from the cppm to the target sever. I captured pakets from cppm and checked the ACL closest to the CPPM and did not see any packets destined to UDP 514. I did capture the Log from Administration » Server Manager » Server Configuration but could not determine which file to look into. I though it would be a file I would use with wireshark. I went through most of the logs but did not see anything in particular destined to syslog

check highlighed box to get packet capture file

I did download a capture and do not see any traffic destined to the syslog udp 514.

Mkaroki, what version of ClearPass are you running? What kind of SYSLOG messages are you trying to send to your server? Session Logs? System Events? Audit Records? If just Session Logs, try System Events and Audit Records to see if you receive a different outcome.

Thank you all for your input in troubleshooting this. I have successfuly sent syslog information from CPPM. I deleted all the export filters and rebuilt them. I was however directed to disable and renable the filter by pressing the green status bubble and again the red status bubble to enable. That seem to have worked.

Again this was on ClearPass Policy Manager 6.7.8.