Security

HI, I have question, how to send clearpass onguard webauth posture log  to Qradar in a realtime, I mean how to send all information which onguard agent sends to clearpass?

Because I have  tried to use multiple log types and templates in the clearpass syslog export filters, but I do not see incoming log in the  client Qradar SIEM solution?

Maybe  someone have already done that. Is it even possible to do that?

You may contact Qradar support as what is needed/expected and in what format is generally defined by the SIEM product.

Do you see anything coming in from ClearPass (possibly unparsable)? Have you verified if ClearPass actually sends syslog and if it reaches your SIEM?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 06, 2024 10:09 AM
From: AudriusBi
Subject: ClearPass Onguard syslog to QRadar

HI, I have question, how to send clearpass onguard webauth posture log  to Qradar in a realtime, I mean how to send all information which onguard agent sends to clearpass?

Because I have  tried to use multiple log types and templates in the clearpass syslog export filters, but I do not see incoming log in the  client Qradar SIEM solution?

Maybe  someone have already done that. Is it even possible to do that?

I have defined multiple syslog export targets and filters, but non of them sends clearpass onguard data to syslog target. Common autentication like RADIUS, MAC authentication requests info are sent basically in realtime, but onguard healthy info from onguard agent in my client windows desktop machines are sent to clearpass, but clearpass do not send syslog  to SIEM. The issue is not syslog message format. For QRadar you we use LEEF format as Qradar manual asks, but is not an issue, clearpass support this  format.

Original Message:
Sent: Feb 12, 2024 10:25 AM
From: Herman Robers
Subject: ClearPass Onguard syslog to QRadar

You may contact Qradar support as what is needed/expected and in what format is generally defined by the SIEM product.

Do you see anything coming in from ClearPass (possibly unparsable)? Have you verified if ClearPass actually sends syslog and if it reaches your SIEM?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 06, 2024 10:09 AM
From: AudriusBi
Subject: ClearPass Onguard syslog to QRadar

HI, I have question, how to send clearpass onguard webauth posture log  to Qradar in a realtime, I mean how to send all information which onguard agent sends to clearpass?

Because I have  tried to use multiple log types and templates in the clearpass syslog export filters, but I do not see incoming log in the  client Qradar SIEM solution?

Maybe  someone have already done that. Is it even possible to do that?

I do see in my ClearPass the following showing up in syslog:

Feb 12 14:00:58 cppm 1 2024-02-12T14:00:58.559+01:00 cppm.arubalab.com ClearPass 16794 61478-2-0 [timeQuality tzKnown="1"][origin swVersion="6.12.0.300732" software="PolicyManager" ip="192.168.32.51" enterpriseId="1.3.6.1.4.1.14823"][clearPass@14823 eventId="3010" Endpoint.Antivirus-Output="{\"apt\": \"HEALTHY\", \"Microsoft Defender ATP\": {\"apt\": \"HEALTHY\", \"failed_checks\": {}}}" Endpoint.MAC-Address="000c2900c9ef" Endpoint.System-Posture-Token="HEALTHY" CppmNode.CPPM-Node="192.168.32.51" Endpoint.System-Client-OS="Windows 10" Endpoint.System-Agent-Type="OnGuardAgentService" Endpoint.Username="000c2900c9ef" Endpoint.Antivirus-Input="{\"Windows Defender\": {\"rtp\": \"On\", \"vendor\": \"Microsoft Corporation\", \"version\": \"4.18.23110.3\", \"dat_file_time\": \"2024-01-14 03:39:03\", \"engine_version\": \"1.1.23110.2\", \"dat_file_version\": \"1.403.2130.0\"}, \"Microsoft Defender ATP\": {\"rtp\": \"On\", \"vendor\": \"Microsoft Corporation\", \"version\": \"10.0.22000.2538\", \"dat_file_time\": \"2024-01-15 01:00:00\",
Feb 12 16:17:06 cppm 1 2024-02-12T16:17:06.002+01:00 cppm.arubalab.com ClearPass 16794 62725-1-0 [timeQuality tzKnown="1"][origin swVersion="6.12.0.300732" software="PolicyManager" ip="192.168.32.51" enterpriseId="1.3.6.1.4.1.14823"][clearPass@14823 eventId="3009" Endpoint.System-Agent-Type="OnGuardAgentService" Endpoint.Username="000c2953c3d1" Endpoint.Posture-Healthy="[\"ClientVersion\"\]" Endpoint.Hostname="dc02.nl.arubalab.com" Endpoint.MAC-Address="000c2953c3d1" Endpoint.IP-Address="" Endpoint.System-Posture-Token="HEALTHY" Endpoint.Posture-Unhealthy="[\]" CppmNode.CPPM-Node="192.168.32.51" Endpoint.System-Agent-Version="6.12.0.300732" Endpoint.System-Client-OS="Windows Server 2019"]

If that is what you want, then it's probably one of the Posture attributes in the Syslog Export Filter:

But as I have 15 or so, I don't know exactly which one it is.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 13, 2024 01:23 AM
From: AudriusBi
Subject: ClearPass Onguard syslog to QRadar

I have defined multiple syslog export targets and filters, but non of them sends clearpass onguard data to syslog target. Common autentication like RADIUS, MAC authentication requests info are sent basically in realtime, but onguard healthy info from onguard agent in my client windows desktop machines are sent to clearpass, but clearpass do not send syslog  to SIEM. The issue is not syslog message format. For QRadar you we use LEEF format as Qradar manual asks, but is not an issue, clearpass support this  format.

Original Message:
Sent: Feb 12, 2024 10:25 AM
From: Herman Robers
Subject: ClearPass Onguard syslog to QRadar

You may contact Qradar support as what is needed/expected and in what format is generally defined by the SIEM product.

Do you see anything coming in from ClearPass (possibly unparsable)? Have you verified if ClearPass actually sends syslog and if it reaches your SIEM?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 06, 2024 10:09 AM
From: AudriusBi
Subject: ClearPass Onguard syslog to QRadar

HI, I have question, how to send clearpass onguard webauth posture log  to Qradar in a realtime, I mean how to send all information which onguard agent sends to clearpass?

Because I have  tried to use multiple log types and templates in the clearpass syslog export filters, but I do not see incoming log in the  client Qradar SIEM solution?

Maybe  someone have already done that. Is it even possible to do that?