05-08-2015 07:47 AM
I want send a syslog message to a logging collector (Splunk) to indicate when a user logins in and when they logoff or when their session expires.
I need to be able to send the user-name and the framed-ip-address of the user and flag as to whether it was a login or logoff event.
Is there a way to get a syslog target filter written that will do this? I have seen the custom SQL available in the filter, but not sure how to write it.
05-08-2015 08:00 AM
Did you check out our ClearPass app in the Splunk App Store?
Not sure if this does what you are asking, just want to make sure you know about it.
05-08-2015 08:03 AM
Here's a link to the syslog export filter for the Splunk App integration:
All this is available in the Documentation section of the support site: Documentation->Software->ClearPass->Policy Manager->Tech Notes
05-08-2015 08:37 AM
I reviewed the technote, but there are no details on how to tweak the session event log message that is sent.
Message I am currently sending below. My problem is that I am trying to determine if this is a login or logogg event. Is there a field that can denote this?
I see the field: Login-Status=ACCEPT, is there another that can be used perhaps?
May 8 11:30:55 10.237.6.129 2015-05-08: 11:30:55,478 10.237.6.129 TEST_CPPM_RADIUS_Session 3 1 0 RADIUS.Acct-Calling-Station-Id=5C-26-0A-71-67-80,C