02-05-2015 01:51 PM
I ran into something yesterday, and wanted to pick a few brains about it. The sample SQL code for the syslog export filter in clearpass 6.3 has code along these lines:
select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp <= --END-TIME--))
While testing, I bumped into a duplicate record in my syslog data. My guess is that the record was cut EXACTLY at --END-TIME-- of one of the intervals. Assuming clearpass iterates through the logs by setting the next START-TIME to the previous END-TIME, the example select logic is flawed, in that it's using ">=" and "<=", meaning that a timestamp right on the edge would be picked up twice.
I'm considering modifying my code custom export filter as follows:
select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp < --END-TIME--))
(note removing the "=" on the end time test.)
Does this make sense, or am I barking up the wrong tree because Clearpass makes sure that END-TIME will never match the next START-TIME somehow, or that the START and END times will NEVER match a timestamp in the database? If this does seem legit, then perhaps Clearpass should amend the sample SQL when you hit the link it offers.
02-07-2015 10:24 AM
We did have some duplicate syslog message issues in 6.3. This was fixed in the 6.4 code.
Look in the release note for #23735, hopefully this is your problem.
Snr Tech Marketing Engineer - ClearPass
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
03-24-2015 08:04 AM