05-06-2015 06:13 PM
I have noticed that syslog messages (TACACS or RADIUS) seem to be delayed to be sent from CPPM to a syslog server? The delays are 60 to 90 secs. Is this normal behavior or can it be changed? I am looking to use real time logging of RADIUS Start and Stop Accounting messages, but the delay will prevent this from being useful.
Any advise or suggestions woul dbe much appreciated.
Solved! Go to Solution.
05-06-2015 06:15 PM
05-06-2015 06:30 PM
05-06-2015 06:48 PM
My experience has been exactly the opposite. All network devices I have worked with: router, switches, firewalls, load balancers instantly send the message when traffic crosses the device. You can watch it real time in our syslog server and troubleshoot issues as they happen.
In our case with CPPM, I wanted to use syslog to send user ID and IP address info to our StealthWatch system to account for user ID in NetFlow records. StealthWatch has a syslog parser.
In addition, I need real time userID & IP info fed into our Palo Alto firewalls for user based authentication rule sets.
If CPPM holds onto this info for 90 seconds, it will cause issues for sure.
Thanks for your feedback.
05-06-2015 08:27 PM
Today we 'batch' the syslog events from CPPM to syslog-target. We are investigating on how we can make this more real time as you require.
The PANW updates should be no longer that 2-3 seconds if you are using CPPM 6.5.0, my updated CPPM and PANW TechNote V5 which has all the 6.5 updates should be posted by the end of this week.
You also mentioned accounting, do you know that in 6.5 we can forward accounting proxy updates when we process an auth? This is a new 6.5 feature...... does this help you? Its real-time, there are a couple of example I've documented, one each in my Fortinet and CheckPoint integration TechNotes.
Snr Tech Marketing Engineer - ClearPass
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.