Higher Education

 View Only
last person joined: 12 days ago 

Got questions on how to enable mobility in education? Submit them here!
Expand all | Collapse all

Syslog Export Interval

This thread has been viewed 3 times
  • 1.  Syslog Export Interval

    Posted Aug 06, 2018 06:12 PM

    I'm trying to get external logging set up for our ClearPass 6.7.3 servers.  I've created the export filters, but no matter what I set the Syslog Export Interval to it only exports about every 15 minutes.  I must be missing something.  Can somebody point me in the right direction?

  • 2.  RE: Syslog Export Interval

    Posted Aug 06, 2018 09:53 PM

    I am not sure if things changed in 6.7, but in prior ClearPass releases, syslog updated every 5 minutes. It is not real-time, but a batch process that runs periodically.

    At one time we were using syslog output to map username to ip address for bandwith management purposes and we determined that a 5 minute lag was permissible. We are no longer using syslog for that though.

  • 3.  RE: Syslog Export Interval

    Posted Aug 06, 2018 10:06 PM
    Thanks Bruce.

  • 4.  RE: Syslog Export Interval

    Posted Aug 07, 2018 09:06 AM

    The 5min batching is annoying, but I worked around this with Splunk. Since most of the logs have a "timestamp" or "CppmAlert.Timestamp" field, you can extract those, then coalesce them into one field that you can then use for Splunk searches. (Excuse any inefficiencies with the regular expressions!)

    search... | rex "CppmAlert.Timestamp=(?<CppmAlert_Timestamp>\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2})" | rex "timestamp=(?<timestamp>\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2})" | eval clearpass_time=coalesce(CppmAlert_Timestamp,timestamp) | table clearpass_time,_raw

  • 5.  RE: Syslog Export Interval

    Posted Aug 07, 2018 01:20 PM
    Thanks Ryan. That's a good idea, but not quite what I was hoping for.

    Unfortunately, the ability to search logs in CPPM is pretty crude, so something like Splunk is required to make them searchable. Our logs are being exported every 15 minutes, and if we're troubleshooting that will be too long to wait to see if a given change had the desired effect.

    I thought I'd try the community first, but I'm going to open a TAC case to see why the knob they provide, "syslog export interval", doesn't seem to do anything. If I learn anything useful I'll post it here.