Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass logging to Splunk

This thread has been viewed 30 times
  • 1.  Clearpass logging to Splunk

    Posted Aug 27, 2024 09:20 AM

    Good morning,

    We are currently using CPPM 6.11.9 and are a splunk cloud customer and using the typical clearpass syslog export filter. 

    The clearpass data comes into our splunk environment in a raw format so pretty useless. We'd like to be able to do the field extractions using the Clearpass Splunk app but the app is depricated on splunkbase and does not support our versions of CPPM or Splunk.  So what are folks using? Are other customers using the depricated Splunk app or some other method?

    Thanks



  • 2.  RE: Clearpass logging to Splunk

    Posted Aug 27, 2024 09:25 AM

    Can Splunk read CEF or LEEF format of syslog? That has field information included, so should be easy to parse.

    There is a Tech Note on Splunk with ClearPass, but it refers to probably the same deprecated extension. I can't find it in the extension search. The note may have some guidance for setting up syslog, just in case you didn't find the document yet.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass logging to Splunk

    Posted 25 days ago

    So good news as there is now an updated Aruba Clearpass app for Splunk. Apparently, this now supports RFC  5424 which i was told the previous app did not. It does not appear there is any configuration documention for the new app. Does anyone know where I could find this?

    https://splunkbase.splunk.com/app/5086




  • 4.  RE: Clearpass logging to Splunk

    Posted 24 days ago

    The README.md in the tarball includes the following links:

    ## ClearPass for SPLUNK Technote
    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15501
     
     
    ## Supporting XML file for configuring ClearPass Syslog filters
    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15500
     
     
    ## ClearPass Technical Documentation
    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6867/Default.aspx