Security

Reply
Occasional Contributor II

How do I get the "service_name" attribute into the CPPM_Session_Detail logs?

Our ClearPass logs are being sysloged to Splunk.  I am trying to create a report on guests versus local users correlated with the service they used.  The problem is that the user_name field in the CPPM_Dashboard_Summary logs is not always set to the owner of the device in the case of MAC authentications, so guessing the user type from the user_name field doesn't work very well.  There are some user attibutes in the CPPM_Session_Detail that could aid in the mapping of a session to a user type.  How ever there is a time delay between the timestamp in the CPPM_Dashboard_Summary and CPPM_Session_Detail, which means that you will have many logons at the boundaries of your search window that are missing either the CPPM_Dashboard_Summary or CPPM_Session_Detail part of the transaction. None of the CPPM_Session_Detail attributes correlate with the service that the user was ultimately authenticated as using. So we have to rely of combining the two and trying to figure out a way to deal with the loss of data.  It would be nice to be able to use just the CPPM_Session_Detail logs to be able to elimiate the loss of data in the searchs.

 

Related questions:

  1.  Why is there a timestamp difference between the CPPM_Dashboard_Summary and CPPM_Session_Detail logs for a session?  Does the timestamp difference signify something?
  2. Any one know which userid is the the CPPM_Dashboard_Summary user_name field?
       
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: