Security

Reply
Frequent Contributor I

Syslog RADIUS Login/Logoff Message

I want send a syslog message to a logging collector (Splunk) to indicate when a user logins in and when they logoff or when their session expires.

 

I need to be able to send the user-name and the framed-ip-address of the user and flag as to whether it was a login or logoff event.

 

Is there a way to get a syslog target filter written that will do this?  I have seen the custom SQL available in the filter, but not sure how to write it.

Aruba Employee

Re: Syslog RADIUS Login/Logoff Message

Did you check out our ClearPass app in the Splunk App Store?

 

Not sure if this does what you are asking, just want to make sure you know about it.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15501

 

 

Thanks,

Zach Jennings
Frequent Contributor I

Re: Syslog RADIUS Login/Logoff Message

Zach, I just downloaded that tech note and am reviewing it now.  Thanks

Aruba Employee

Re: Syslog RADIUS Login/Logoff Message

Here's a link to the syslog export filter for the Splunk App integration:

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15500

 

All this is available in the Documentation section of the support site: Documentation->Software->ClearPass->Policy Manager->Tech Notes

Thanks,

Zach Jennings
Frequent Contributor I

Re: Syslog RADIUS Login/Logoff Message

I reviewed the technote, but there are no details on how to tweak the session event log message that is sent.

 

Message I am currently sending below.  My problem is that I am trying to determine if this is a login or logogg event.  Is there a field that can denote this?

 

I see the field:  Login-Status=ACCEPT, is there another that can be used perhaps?

 

May  8 11:30:55 10.237.6.129 2015-05-08: 11:30:55,478 10.237.6.129 TEST_CPPM_RADIUS_Session 3 1 0 RADIUS.Acct-Calling-Station-Id=5C-26-0A-71-67-80,Common.Roles=[Machine Authenticated], [User Authenticated],RADIUS.Acct-Framed-IP-Address=10.238.32.81,RADIUS.Auth-Source=AD:cp1adplim07.domain.com,RADIUS.Acct-Timestamp=2015-05-08 11:30:48-04,Common.Request-Id=R0000006c-01-554cd69d,Common.Source=RADIUS,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Login-Status=ACCEPT,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Common.Username=billbob,src=10.237.6.129,RADIUS.Acct-Username=host/7FP23R1.domain.com,RADIUS.Acct-NAS-IP-Address=10.238.32.99,Common.Service=CISCO_WIRED_802.1X_SERVICE

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: