Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clear Pass Syslog - TACACS Auth Login Failures

This thread has been viewed 14 times
  • 1.  Clear Pass Syslog - TACACS Auth Login Failures

    Posted Aug 25, 2023 06:08 AM

    Hi,

    I have been playing around with the syslogs in Clear Pass and have successfully set up our syslog server to receive TACACs logs. We are particularly interested in failed login attempts to our network devices and would like to see these come across. They seem to come across fine, but the log doesn't show much info in the syslog itself (only the username that attempted and that it was a failed attempt), it doesn't show where it came from or what it was trying to access. It includes the session ID which is something, so at least we can look this up in Clear Pass, but it would be nice to see a fuller log. Does anyone know if this is this something that can be achieved? - It's currently set to 'Warnings', but I have also tried 'informational'.

    Thanks.



  • 2.  RE: Clear Pass Syslog - TACACS Auth Login Failures

    EMPLOYEE
    Posted Aug 25, 2023 07:02 AM

    Did you find the option for Syslog Export Filters? That allows you to send authentication/audit logs to a syslog server with configurable columns:



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clear Pass Syslog - TACACS Auth Login Failures

    Posted Aug 25, 2023 07:21 AM

    Thanks for the reply. I tired working in there originally and nothing was coming through, so I enabled it here (see below):

    That works now, but gives me the limited info.




  • 4.  RE: Clear Pass Syslog - TACACS Auth Login Failures

    EMPLOYEE
    Posted Sep 04, 2023 04:20 AM

    Yes, that is expected as these are process logs, not authentication/accounting logs. These are different logs.

    For more detailed authentication information like usernames, you need to create syslog servers and syslog filters. If that doesn't work, try to find out why that doesn't work. Your Aruba partner or Aruba Support may be able to assist in that.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------