I have been playing around with the syslogs in Clear Pass and have successfully set up our syslog server to receive TACACs logs. We are particularly interested in failed login attempts to our network devices and would like to see these come across. They seem to come across fine, but the log doesn't show much info in the syslog itself (only the username that attempted and that it was a failed attempt), it doesn't show where it came from or what it was trying to access. It includes the session ID which is something, so at least we can look this up in Clear Pass, but it would be nice to see a fuller log. Does anyone know if this is this something that can be achieved? - It's currently set to 'Warnings', but I have also tried 'informational'.
Did you find the option for Syslog Export Filters? That allows you to send authentication/audit logs to a syslog server with configurable columns:
Thanks for the reply. I tired working in there originally and nothing was coming through, so I enabled it here (see below):That works now, but gives me the limited info.
------------------------------Herman Robers------------------------If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.Original Message:Sent: Aug 25, 2023 06:07 AMFrom: mattreesSubject: Clear Pass Syslog - TACACS Auth Login Failures
Yes, that is expected as these are process logs, not authentication/accounting logs. These are different logs.
For more detailed authentication information like usernames, you need to create syslog servers and syslog filters. If that doesn't work, try to find out why that doesn't work. Your Aruba partner or Aruba Support may be able to assist in that.
Original Message:Sent: Aug 25, 2023 07:01 AMFrom: Herman RobersSubject: Clear Pass Syslog - TACACS Auth Login Failures
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.