Security

So for audit reasons, we need syslog to have at the very least what guest is mapped to what MAC or IP (either will do, because we have dhcp logs to verify the MAC to IP mappings).  We do have syslog setup but I think the syslog filters aren't right, we don't see anything that would map the guest to a session or MAC/IP.

We don't really need any more than this, is there a syslog entry that will just syslog when the user authenticates (like a radius audit)?  I realize it can be had on the servers themselves but we need to use syslog to both pass along audit info to other services and so we can source the traffic in the more distant past than the clearpass allows.

The article here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-to-perform-legal-interception/m-p/3823 might provide some information.

To be succint, here is how I get that information:

show log all | include Successful

While that might work, that isn't using syslog. That means I have to get on the system and do something, I am talking just persuing syslog entries that are stored offline.

You could grep syslog for "Successful".  You would have to syslog the security and user logs with the level of "notifications" however.

Yes, I will try that.

thanks.