The Loggly solution analyzes log data from virtually any application, system or platform to answer your burning questions. This integration allows ClearPass to add the context of network events to the data available to Loggly for analysis and reporting. The network event could be as simple of successfu or failed authentication through to complex triggers based on network device posture, location, time of day etc.
AH contributor: cam
Specifications
Administration -> External Servers -> Endpoint Context Servers
|
Select Server Type
|
Generic HTTP |
Server Name
|
<Your integration name> |
Server Base URL
|
https://logs-01.loggly.com |
Username
|
<Not Applicable> |
Password
|
<Not Applicable> |
Administration -> Dictionaries -> Context Server Actions
|
Action Tab
|
Server Type
|
Generic HTTP |
Server Name
|
<Select your integration name> |
Action Name
|
<Describe the action> |
HTTP Method
|
POST |
URL
|
/inputs/%{customer-token}/tag/http/ |
Header Tab
|
Header Name/Header Value
|
Content-Type=application/json |
Content Tab
|
Content-Type
|
JSON |
Content
|
{"serial_num": "%{Endpoint:Serial Number}","os_version": "%{Endpoint:OS Version}","user": "%{Authentication:Full-Username}","mac_address": "%{Connection:Client-Mac-Address}","short_description": "Compromised Device WiFi Connection Attempt","model": "%{Endpoint:Model}","location": "%{Radius:Aruba:Aruba-Location-Id}"}
|
Attributes Tab
|
Attribute Name/Attribute Value
|
customer-token={your customer token}
Endpoint:Serial Number=unknown
Endpoint:OS Version=unknown
Authentication:Full-Username=unknown
Connection:Client-Mac-Address=unknown
Endpoint:Model=unknown
Radius:Aruba:Aruba-Location-Id=unknown
|
Tips & Tricks
|
| Note that the Loggly customer token needs to be included in the URL path for the API call. The example uses a parameter %{customer-token} and this is referenced in the Attributes definition. Be sure to get the customer token for your deployment by logging into the Loggly dashboard and browsing to Source Setup > Customer Token page. |