Security

Reply
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Delays in Syslog Messages sent from CPPM 6.5.1

I have noticed that syslog messages (TACACS or RADIUS) seem to be delayed to be sent from CPPM to a syslog server?  The delays are 60 to 90 secs.  Is this normal behavior or can it be changed?  I am looking to use real time logging of RADIUS Start and Stop Accounting messages, but the delay will prevent this from being useful.

 

Any advise or suggestions woul dbe much appreciated.

 

Thanks.

 

Mark Thiel

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: Delays in Syslog Messages sent from CPPM 6.5.1

AFAIK, syslog is always best effort and is often low priority on most
systems.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: Delays in Syslog Messages sent from CPPM 6.5.1

Not what I wanted hear, but I will take it into account. 

 

So has that been your experience as well?  Are there any tweaks that can be done?

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: Delays in Syslog Messages sent from CPPM 6.5.1

That's not an official answer, just something I've always seen across most
products with regard to syslog.



I don't believe there are any configurable options.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: Delays in Syslog Messages sent from CPPM 6.5.1

My experience has been exactly the opposite.  All network devices I have worked with:  router, switches, firewalls, load balancers instantly send the message when traffic crosses the device.  You can watch it real time in our syslog server and troubleshoot issues as they happen.

 

In our case with CPPM, I wanted to use syslog to send user ID and IP address info to our StealthWatch system to account for user ID in NetFlow records.  StealthWatch has a syslog parser.

 

In addition, I need real time userID & IP info fed into our Palo Alto firewalls for user based authentication rule sets.

 

If CPPM holds onto this info for 90 seconds, it will cause issues for sure.

 

Thanks for your feedback.

Moderator
Posts: 456
Registered: ‎11-09-2012

Re: Delays in Syslog Messages sent from CPPM 6.5.1

Today we 'batch' the syslog events from CPPM to syslog-target. We are investigating on how we can make this more real time as you require.

 

The PANW updates should be no longer that 2-3 seconds if you are using CPPM 6.5.0, my updated CPPM and PANW TechNote V5 which has all the 6.5 updates should be posted by the end of this week.

 

You also mentioned accounting, do you know that in 6.5 we can forward accounting proxy updates when we process an auth? This is a new 6.5 feature...... does this help you? Its real-time, there are a couple of example I've documented, one each in my Fortinet and CheckPoint integration TechNotes.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: