We're using the Splunk app for Clearpass and are finding it very helpful, but it seems like there is additional information that isn't delivered by the syslog and accounting feeds that we've configured to our Splunk indexer. Specifically, I'd really like to be able to zero in on the response times of an upstream LDAP (non-AD) server against which we're authenticating wireless users. I don't seem to be able to find timing among the log messages that show up on Splunk though if I look at a particular entry in Access Tracker and click on "Show Logs" I see interesting messages like:
LDAP/AD User lookup time = 6 ms
This doesn't seem to make it to Splunk, but if I pull logs from the server I can see that and lots of other interesting messages regarding timing in:
PolicyManagerLogs/tips-radius-server/radius.log
Is there any way that I can get these messages to be delivered via syslog?