Security

Reply
New Contributor
Posts: 2
Registered: ‎08-21-2014

syslog export filters - --BEGIN-TIME-- and --END-TIME--

Hi,

 

I ran into something yesterday, and wanted to pick a few brains about it.  The sample SQL code for the syslog export filter in clearpass 6.3 has code along these lines:

 

select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp <= --END-TIME--))

 

While testing, I bumped into a duplicate record in my syslog data.  My guess is that the record was cut EXACTLY at --END-TIME-- of one of the intervals.  Assuming clearpass iterates through the logs by setting the next START-TIME to the previous END-TIME, the example select logic is flawed, in that it's using ">=" and "<=", meaning that a timestamp right on the edge would be picked up twice.

 

I'm considering modifying my code custom export filter as follows:

 

select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp < --END-TIME--))

 

(note removing the "=" on the end time test.)

 

Does this make sense, or am I barking up the wrong tree because Clearpass makes sure that END-TIME will never match the next START-TIME somehow, or that the START and END times will NEVER match a timestamp in the database?  If this does seem legit, then perhaps Clearpass should amend the sample SQL when you hit the link it offers.

 

Mike

Cornell University

Moderator
Posts: 496
Registered: ‎11-09-2012

Re: syslog export filters - --BEGIN-TIME-- and --END-TIME--

Mike,

 

We did have some duplicate syslog message issues in 6.3. This was fixed in the 6.4 code.

 

Look in the release note for #23735, hopefully this is your problem.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor II
Posts: 41
Registered: ‎05-15-2014

Re: syslog export filters - --BEGIN-TIME-- and --END-TIME--

The key with the SQL used to generate syslog is to ensure that you don't generate multiple rows as a result of not specifying the inner table joins properly. This can generate multiples, let alone duplicates. Regards Chris
Search Airheads
Showing results for 
Search instead for 
Did you mean: