Security

Reply
Contributor I

Clearpass and Elasticsearch, Logstash, and Kibana (ELK)

Has anyone used Clearpass Syslog Targets with the ELK (Elasticsearch, Logstash, and Kibana)  Stack?

 

I'm getting data into ELK by using the SYSLOG Splunk export filters provided in the Splunk Integration Guide and the following Logstash configuration:

 

I'm wondering if anyone has created a Kibana dashboard to analyze the results.

 

Thanks.

 

input {
tcp {
port => 5000
type => syslog
}

udp {
port => 5000
type => syslog
}

}

filter {
if [type] == "syslog" and [message] =~ "CPPM" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA&colon;syslog_program} %{POSINT:syslog_pid} 1 0 %{GREEDYDATA&colon;syslog_message}" }
}
kv {
source => "syslog_message"
field_split => ","
prefix => "CPPM_"
add_tag => "CPPM, grokkd"
}
}
else if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA&colon;syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA&colon;syslog_message}" }
}
}
}

output {
if [type] == "syslog" and "_grokparsefailure" in [tags] {
file { path => "/tmp/failed_syslog_events-%{+YYYY-MM-dd}" }
}
else {
elasticsearch { host => "localhost" }
}

--
Neil Johnson
Contributor I

Re: Clearpass and Elasticsearch, Logstash, and Kibana (ELK)

I've created a GitHub repository containing my logstash.conf file and the Export of my ClearPass Syslog configuration.  Comments and suggestions welcome!

 

 

--
Neil Johnson
Aruba

Re: Clearpass and Elasticsearch, Logstash, and Kibana (ELK)

Cool always appreciated. I check it out and pass it off to the ClearPass specialists.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: