Security

Hi,

I have been playing around with the syslogs in Clear Pass and have successfully set up our syslog server to receive TACACs logs. We are particularly interested in failed login attempts to our network devices and would like to see these come across. They seem to come across fine, but the log doesn't show much info in the syslog itself (only the username that attempted and that it was a failed attempt), it doesn't show where it came from or what it was trying to access. It includes the session ID which is something, so at least we can look this up in Clear Pass, but it would be nice to see a fuller log. Does anyone know if this is this something that can be achieved? - It's currently set to 'Warnings', but I have also tried 'informational'.

Thanks.

Did you find the option for Syslog Export Filters? That allows you to send authentication/audit logs to a syslog server with configurable columns:

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 25, 2023 06:07 AM
From: mattrees
Subject: Clear Pass Syslog - TACACS Auth Login Failures

Hi,

I have been playing around with the syslogs in Clear Pass and have successfully set up our syslog server to receive TACACs logs. We are particularly interested in failed login attempts to our network devices and would like to see these come across. They seem to come across fine, but the log doesn't show much info in the syslog itself (only the username that attempted and that it was a failed attempt), it doesn't show where it came from or what it was trying to access. It includes the session ID which is something, so at least we can look this up in Clear Pass, but it would be nice to see a fuller log. Does anyone know if this is this something that can be achieved? - It's currently set to 'Warnings', but I have also tried 'informational'.

Thanks.

Thanks for the reply. I tired working in there originally and nothing was coming through, so I enabled it here (see below):

That works now, but gives me the limited info.

Original Message:
Sent: Aug 25, 2023 07:01 AM
From: Herman Robers
Subject: Clear Pass Syslog - TACACS Auth Login Failures

Did you find the option for Syslog Export Filters? That allows you to send authentication/audit logs to a syslog server with configurable columns:

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 25, 2023 06:07 AM
From: mattrees
Subject: Clear Pass Syslog - TACACS Auth Login Failures

Hi,

I have been playing around with the syslogs in Clear Pass and have successfully set up our syslog server to receive TACACs logs. We are particularly interested in failed login attempts to our network devices and would like to see these come across. They seem to come across fine, but the log doesn't show much info in the syslog itself (only the username that attempted and that it was a failed attempt), it doesn't show where it came from or what it was trying to access. It includes the session ID which is something, so at least we can look this up in Clear Pass, but it would be nice to see a fuller log. Does anyone know if this is this something that can be achieved? - It's currently set to 'Warnings', but I have also tried 'informational'.

Thanks.