Security

Hey guys,

i modified one of our Syslog Export Filters by adding a new syslog server and removing two Clearpass servers from the filter. Basically did some adjustments and saved them several times. At some point I noticed the existing logging stopped working after my adjustments. I did some troubleshooting and removed all of my changes, but the CPs won't log anymore to the syslog server based on the old export and data filters. I read some old threads and decided at some point to remove the config and re-create it, hoping for the best :) but still nothing coming out of the CP :(

TCPdump on the syslog server and also on the CP appliance confirm: nothing gets sent out on port 514 from the CP, except the CP system logs which are totally fine. 

Does anyone have a hint or an idea? Currently ran out of ideas what could be the reason. Pls note: no changes on the network etc. have been done. Maybe somehow the service is stuck on the CP?

Cheers

Arthur

I checked TAC cases and found one where the syslog servers have been unreachable for some time and ClearPass for some reason did not pickup again. There modyfing anything with syslog, like you did solved the issue. So that probably is not it.

Also I found multiple cases where session logs were being sent, but the ClearPass appliance in question did not receive accounting data.

If you can't solve it with this, it may be best to get TAC involved to do further analysis.

Hey guys,

i modified one of our Syslog Export Filters by adding a new syslog server and removing two Clearpass servers from the filter. Basically did some adjustments and saved them several times. At some point I noticed the existing logging stopped working after my adjustments. I did some troubleshooting and removed all of my changes, but the CPs won't log anymore to the syslog server based on the old export and data filters. I read some old threads and decided at some point to remove the config and re-create it, hoping for the best :) but still nothing coming out of the CP :(

TCPdump on the syslog server and also on the CP appliance confirm: nothing gets sent out on port 514 from the CP, except the CP system logs which are totally fine. 

Does anyone have a hint or an idea? Currently ran out of ideas what could be the reason. Pls note: no changes on the network etc. have been done. Maybe somehow the service is stuck on the CP?

Cheers

Arthur

Hi Herman,

i managed to get it running again. So I went through the audit viewer and double checked my changes. Somehow i accidentally reset the "selected columns" in the data filter to default values. 

1. Common.Username
2. Common.Service
3. Common.Roles
4. Common.Host-MAC-Address
5. RADIUS.Acct-Framed-IP-Address
6. Common.NAS-IP-Address
7. Common.Request-Timestamp

After adjusting the columns by removing those I don't need the logging started working again.

Cheers!

I checked TAC cases and found one where the syslog servers have been unreachable for some time and ClearPass for some reason did not pickup again. There modyfing anything with syslog, like you did solved the issue. So that probably is not it.

Also I found multiple cases where session logs were being sent, but the ClearPass appliance in question did not receive accounting data.

If you can't solve it with this, it may be best to get TAC involved to do further analysis.

Hey guys,

i modified one of our Syslog Export Filters by adding a new syslog server and removing two Clearpass servers from the filter. Basically did some adjustments and saved them several times. At some point I noticed the existing logging stopped working after my adjustments. I did some troubleshooting and removed all of my changes, but the CPs won't log anymore to the syslog server based on the old export and data filters. I read some old threads and decided at some point to remove the config and re-create it, hoping for the best :) but still nothing coming out of the CP :(

TCPdump on the syslog server and also on the CP appliance confirm: nothing gets sent out on port 514 from the CP, except the CP system logs which are totally fine. 

Does anyone have a hint or an idea? Currently ran out of ideas what could be the reason. Pls note: no changes on the network etc. have been done. Maybe somehow the service is stuck on the CP?

Cheers

Arthur

Dear @aboehm,

did you remove field common.roles and radius.acct-framed-ip-address to solve this issue ?

Hi Herman,

i managed to get it running again. So I went through the audit viewer and double checked my changes. Somehow i accidentally reset the "selected columns" in the data filter to default values. 

1. Common.Username
2. Common.Service
3. Common.Roles
4. Common.Host-MAC-Address
5. RADIUS.Acct-Framed-IP-Address
6. Common.NAS-IP-Address
7. Common.Request-Timestamp

After adjusting the columns by removing those I don't need the logging started working again.

Cheers!

I checked TAC cases and found one where the syslog servers have been unreachable for some time and ClearPass for some reason did not pickup again. There modyfing anything with syslog, like you did solved the issue. So that probably is not it.

Also I found multiple cases where session logs were being sent, but the ClearPass appliance in question did not receive accounting data.

If you can't solve it with this, it may be best to get TAC involved to do further analysis.

Hey guys,

i modified one of our Syslog Export Filters by adding a new syslog server and removing two Clearpass servers from the filter. Basically did some adjustments and saved them several times. At some point I noticed the existing logging stopped working after my adjustments. I did some troubleshooting and removed all of my changes, but the CPs won't log anymore to the syslog server based on the old export and data filters. I read some old threads and decided at some point to remove the config and re-create it, hoping for the best :) but still nothing coming out of the CP :(

TCPdump on the syslog server and also on the CP appliance confirm: nothing gets sent out on port 514 from the CP, except the CP system logs which are totally fine. 

Does anyone have a hint or an idea? Currently ran out of ideas what could be the reason. Pls note: no changes on the network etc. have been done. Maybe somehow the service is stuck on the CP?

Cheers

Arthur

Hello Hudaya,
yes, that's correct. I removed those and it started working again.

Cheers
Arthur

Dear @aboehm,

did you remove field common.roles and radius.acct-framed-ip-address to solve this issue ?

Hi Herman,

i managed to get it running again. So I went through the audit viewer and double checked my changes. Somehow i accidentally reset the "selected columns" in the data filter to default values. 

1. Common.Username
2. Common.Service
3. Common.Roles
4. Common.Host-MAC-Address
5. RADIUS.Acct-Framed-IP-Address
6. Common.NAS-IP-Address
7. Common.Request-Timestamp

After adjusting the columns by removing those I don't need the logging started working again.

Cheers!

I checked TAC cases and found one where the syslog servers have been unreachable for some time and ClearPass for some reason did not pickup again. There modyfing anything with syslog, like you did solved the issue. So that probably is not it.

Also I found multiple cases where session logs were being sent, but the ClearPass appliance in question did not receive accounting data.

If you can't solve it with this, it may be best to get TAC involved to do further analysis.

Hey guys,

i modified one of our Syslog Export Filters by adding a new syslog server and removing two Clearpass servers from the filter. Basically did some adjustments and saved them several times. At some point I noticed the existing logging stopped working after my adjustments. I did some troubleshooting and removed all of my changes, but the CPs won't log anymore to the syslog server based on the old export and data filters. I read some old threads and decided at some point to remove the config and re-create it, hoping for the best :) but still nothing coming out of the CP :(

TCPdump on the syslog server and also on the CP appliance confirm: nothing gets sent out on port 514 from the CP, except the CP system logs which are totally fine. 

Does anyone have a hint or an idea? Currently ran out of ideas what could be the reason. Pls note: no changes on the network etc. have been done. Maybe somehow the service is stuck on the CP?

Cheers

Arthur

Dear aboehm,

noted, thanks for your confirmation 

Hello Hudaya,
yes, that's correct. I removed those and it started working again.

Cheers
Arthur

Dear @aboehm,

did you remove field common.roles and radius.acct-framed-ip-address to solve this issue ?

Hi Herman,

i managed to get it running again. So I went through the audit viewer and double checked my changes. Somehow i accidentally reset the "selected columns" in the data filter to default values. 

1. Common.Username
2. Common.Service
3. Common.Roles
4. Common.Host-MAC-Address
5. RADIUS.Acct-Framed-IP-Address
6. Common.NAS-IP-Address
7. Common.Request-Timestamp

After adjusting the columns by removing those I don't need the logging started working again.

Cheers!

I checked TAC cases and found one where the syslog servers have been unreachable for some time and ClearPass for some reason did not pickup again. There modyfing anything with syslog, like you did solved the issue. So that probably is not it.

Also I found multiple cases where session logs were being sent, but the ClearPass appliance in question did not receive accounting data.

If you can't solve it with this, it may be best to get TAC involved to do further analysis.

Hey guys,

i modified one of our Syslog Export Filters by adding a new syslog server and removing two Clearpass servers from the filter. Basically did some adjustments and saved them several times. At some point I noticed the existing logging stopped working after my adjustments. I did some troubleshooting and removed all of my changes, but the CPs won't log anymore to the syslog server based on the old export and data filters. I read some old threads and decided at some point to remove the config and re-create it, hoping for the best :) but still nothing coming out of the CP :(

TCPdump on the syslog server and also on the CP appliance confirm: nothing gets sent out on port 514 from the CP, except the CP system logs which are totally fine. 

Does anyone have a hint or an idea? Currently ran out of ideas what could be the reason. Pls note: no changes on the network etc. have been done. Maybe somehow the service is stuck on the CP?

Cheers

Arthur