Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Tacacs command logging from devices to clearpass to Qradar via export filter

This thread has been viewed 1 times

  • 1.  Tacacs command logging from devices to clearpass to Qradar via export filter

    Posted Jan 05, 2017 07:12 PM

    Having an issue getting commands from say a cisco router to be exported to an IBM Qradar server.  We get a syslog entry with the username remote address timestamps and a bunch of other stuff, but were missing.

     

    The command typed

    Device they actually logged into not their PC address.

     

    I have tacacs.command set in the export filter, but not sure if that's really getting me what we want.

     

    Router has the standard accounting profiles start stop, for 0, 1, and 15 priv levels.

     

    We know the messages are getting there as they're timestamped when I do something like show run.  Just dont see the actual command or device it was from. 



  • 2.  RE: Tacacs command logging from devices to clearpass to Qradar via export filter

    Posted Jan 09, 2017 05:10 AM
    Hi,

    Are there any Aruba/HPE devices involved here?



  • 3.  RE: Tacacs command logging from devices to clearpass to Qradar via export filter

    Posted Jan 09, 2017 10:21 AM

    Yeah sorry Clearpass is what's receiving the logs, the export filters refuse to export the commands and device.  Get everything else.



  • 4.  RE: Tacacs command logging from devices to clearpass to Qradar via export filter

    Posted Jan 09, 2017 10:27 AM

    Hi,

     

    Gotcha. I blogged about this as I had a very similar situation.. Check it out here. </shamless plug> It should help in setting up an export filter so you can see the commands and details you need.