Log parsing errors noticed while receiving NAC logs via syslog from ClearPass

MVP
MVP
Problem:

Log Parsing errors noticed while receiving NAC logs via syslog from ClearPass

 

Below are few sample log lines received from ClearPass which are failing while parsing:

 

·  2018-06-20 10:57:22,808 ERROR LogParser: InvalidTimestampException: com.niara.logger.exceptions.InvalidTimestampException: Invalid Timestamp value: 0, log_type: log_clearpass_nac, for log line: {"src_ip": "1.1.1.1", "event_type": "logout", "device_posture": "UNKNOWN", "event_id": "2", "timestamp": "%{Authorization:[Time Source]:Now}", "user_type": "normal", "device_category": "%{Authorization:[Endpoints Repository]:Category}", "device_name": "%{Authorization:[Endpoints Repository]:Device Name}", "device_family": "%{Authorization:[Endpoints Repository]:OS Family}", "source": "2.2.2.2", "role": "[Other], [User Authenticated]", "host_name": "%{Authorization:[Endpoints Repository]:Hostname}", "ssid": "ARUBA", "entity_posture": "%{Endpoint:IntrospectPosture}", "user_name": "cpp", "src_mac": "001122334455", "location": "CPPM-LAB"}

 

·  2018-06-20 10:57:22,675 ERROR LogParser: InvalidTimestampException: com.niara.logger.exceptions.InvalidTimestampException: Invalid Timestamp value: 0, log_type: log_clearpass_nac, for log line: {"src_ip": "3.3.3.3", "event_type": "login", "device_posture": "UNKNOWN", "event_id": "1", "timestamp": "%{Authorization:[Time Source]:Now}", "user_type": "normal", "device_category": "%{Authorization:[Endpoints Repository]:Category}", "device_name": "%{Authorization:[Endpoints Repository]:Device Name}", "device_family": "%{Authorization:[Endpoints Repository]:OS Family}", "source": "2.2.2.2", "role": "[Other], [User Authenticated]", "host_name": "%{Authorization:[Endpoints Repository]:Hostname}", "ssid": "ARUBA", "entity_posture": "%{Endpoint:IntrospectPosture}", "user_name": "cppm1", "src_mac": "112233445566", "location": "CPPM-LAB"}



Diagnostics:

If we notice above, we can see that the attribute values for Time Source and Endpoints Repository is not sent from ClearPass. Values for below variables to name a few:

%{Authorization:[Time Source]:Now}

%{Authorization:[Endpoints Repository]:Category}

%{Authorization:[Endpoints Repository]:Device Name}

%{Authorization:[Endpoints Repository]:OS Family}

%{Authorization:[Endpoints Repository]:Hostname}

 

In order to ensure logs are parsed sucessfully on IntroSpect Analyzer, we need to ensure the values for above attributes are sent from ClearPass.



Solution

The fix is to ensure, the above attributes are marked as "Role" in respective authentication sources. Once the attributes are marked as "role", ClearPass will forward the values for the attributes specific to user.

For example, for attribute specific to Time Source.

In ClearPass, navigate to Configuration->Authentication->Sources.

From the list of authentication sources, select "[Time Source]" >> Click "Attributes" tab >> click attribute named: now and enable it as "Role" and save the configuration.

By default, it is as below:

 

 

 

 

 

 

Likewise, we need to do the same for attributes specific to Endpoints Repository:

 

 

Post making the above changes, we will notice the values being sent for the attributes and on IntroSpect these naclogs will be processed successfully.

Version history
Revision #:
1 of 1
Last update:
‎08-04-2020 08:43 PM
Updated by: