The README.md in the tarball includes the following links:
## ClearPass for SPLUNK Technote
http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15501
## Supporting XML file for configuring ClearPass Syslog filters
http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15500
## ClearPass Technical Documentation
http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6867/Default.aspx
Original Message:
Sent: Sep 16, 2024 02:22 PM
From: Steven Weissenburger
Subject: Clearpass logging to Splunk
So good news as there is now an updated Aruba Clearpass app for Splunk. Apparently, this now supports RFC 5424 which i was told the previous app did not. It does not appear there is any configuration documention for the new app. Does anyone know where I could find this?
https://splunkbase.splunk.com/app/5086
Original Message:
Sent: Aug 27, 2024 09:25 AM
From: Herman Robers
Subject: Clearpass logging to Splunk
Can Splunk read CEF or LEEF format of syslog? That has field information included, so should be easy to parse.
There is a Tech Note on Splunk with ClearPass, but it refers to probably the same deprecated extension. I can't find it in the extension search. The note may have some guidance for setting up syslog, just in case you didn't find the document yet.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 27, 2024 08:38 AM
From: wiseguy333
Subject: Clearpass logging to Splunk
Good morning,
We are currently using CPPM 6.11.9 and are a splunk cloud customer and using the typical clearpass syslog export filter.
The clearpass data comes into our splunk environment in a raw format so pretty useless. We'd like to be able to do the field extractions using the Clearpass Splunk app but the app is depricated on splunkbase and does not support our versions of CPPM or Splunk. So what are folks using? Are other customers using the depricated Splunk app or some other method?
Thanks