Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Delays in Syslog Messages sent from CPPM 6.5.1

This thread has been viewed 1 times

  • 1.  Delays in Syslog Messages sent from CPPM 6.5.1

    Posted May 06, 2015 09:14 PM

    I have noticed that syslog messages (TACACS or RADIUS) seem to be delayed to be sent from CPPM to a syslog server?  The delays are 60 to 90 secs.  Is this normal behavior or can it be changed?  I am looking to use real time logging of RADIUS Start and Stop Accounting messages, but the delay will prevent this from being useful.

     

    Any advise or suggestions woul dbe much appreciated.

     

    Thanks.

     

    Mark Thiel



  • 2.  RE: Delays in Syslog Messages sent from CPPM 6.5.1

    EMPLOYEE
    Posted May 06, 2015 09:16 PM
    AFAIK, syslog is always best effort and is often low priority on most
    systems.


  • 3.  RE: Delays in Syslog Messages sent from CPPM 6.5.1

    Posted May 06, 2015 09:28 PM

    Not what I wanted hear, but I will take it into account. 

     

    So has that been your experience as well?  Are there any tweaks that can be done?



  • 4.  RE: Delays in Syslog Messages sent from CPPM 6.5.1

    EMPLOYEE
    Posted May 06, 2015 09:31 PM
    That's not an official answer, just something I've always seen across most
    products with regard to syslog.



    I don't believe there are any configurable options.


  • 5.  RE: Delays in Syslog Messages sent from CPPM 6.5.1

    Posted May 06, 2015 09:49 PM

    My experience has been exactly the opposite.  All network devices I have worked with:  router, switches, firewalls, load balancers instantly send the message when traffic crosses the device.  You can watch it real time in our syslog server and troubleshoot issues as they happen.

     

    In our case with CPPM, I wanted to use syslog to send user ID and IP address info to our StealthWatch system to account for user ID in NetFlow records.  StealthWatch has a syslog parser.

     

    In addition, I need real time userID & IP info fed into our Palo Alto firewalls for user based authentication rule sets.

     

    If CPPM holds onto this info for 90 seconds, it will cause issues for sure.

     

    Thanks for your feedback.



  • 6.  RE: Delays in Syslog Messages sent from CPPM 6.5.1
    Best Answer

    Posted May 06, 2015 11:28 PM

    Today we 'batch' the syslog events from CPPM to syslog-target. We are investigating on how we can make this more real time as you require.

     

    The PANW updates should be no longer that 2-3 seconds if you are using CPPM 6.5.0, my updated CPPM and PANW TechNote V5 which has all the 6.5 updates should be posted by the end of this week.

     

    You also mentioned accounting, do you know that in 6.5 we can forward accounting proxy updates when we process an auth? This is a new 6.5 feature...... does this help you? Its real-time, there are a couple of example I've documented, one each in my Fortinet and CheckPoint integration TechNotes.