Our ClearPass logs are being sysloged to Splunk. I am trying to create a report on guests versus local users correlated with the service they used. The problem is that the user_name field in the CPPM_Dashboard_Summary logs is not always set to the owner of the device in the case of MAC authentications, so guessing the user type from the user_name field doesn't work very well. There are some user attibutes in the CPPM_Session_Detail that could aid in the mapping of a session to a user type. How ever there is a time delay between the timestamp in the CPPM_Dashboard_Summary and CPPM_Session_Detail, which means that you will have many logons at the boundaries of your search window that are missing either the CPPM_Dashboard_Summary or CPPM_Session_Detail part of the transaction. None of the CPPM_Session_Detail attributes correlate with the service that the user was ultimately authenticated as using. So we have to rely of combining the two and trying to figure out a way to deal with the loss of data. It would be nice to be able to use just the CPPM_Session_Detail logs to be able to elimiate the loss of data in the searchs.
Related questions:
- Why is there a timestamp difference between the CPPM_Dashboard_Summary and CPPM_Session_Detail logs for a session? Does the timestamp difference signify something?
- Any one know which userid is the the CPPM_Dashboard_Summary user_name field?