ClearPass Splunk Syslog Export
This solution configures ClearPass to send Syslog output to an instance of Splunk. The solution will generate a ClearPass XML import file that does the following:
- Adds a Splunk Server as a Syslog Target.
- Adds the ClearPass Syslog Export Filters defined for the ClearPass Splunk App.
ClearPass Policy Manager 6.3.2 and Splunk 6.1.1.
ClearPass Policy Manager is an Access Management Solution used extensively in small, midrange and large enterprises. ClearPass provides the capability to send various kinds of Authentication, Authorization and Accounting events as RFC 5424 compliant Syslog messages to any Syslog receiver when endpoints authenticate to the network using ClearPass.
Splunk is a log management/SIEM solution that can receive Syslog messages from multiple sources. These messages are stored within Splunk and they can then be correlated, searched, analyzed and displayed using its graphical user interface.
Splunk provides a platform to run mini applications (called apps), customized for specific applications or products which send Syslogs to Splunk, providing a visualization of the Syslog data received by Splunk without requiring the user to run complex searches within Splunk.
These apps typically consist of a number of dashlets showing charts, tables and graphs, accessible via a menu structure contained within the app, based on pre-defined searches on the Syslog data that is received by Splunk.
One such app that has been developed by Aruba for visualizing a Syslog feed from ClearPass Policy Manager is the ClearPass Splunk App.
To integrate ClearPass with Splunk, you have to perform two major tasks, namely:
- Configure ClearPass to send Syslogs to Splunk. This solution will generate the necessary ClearPass configuration.
- Install ClearPass Splunk App on Splunk, which will configure Splunk to receive Syslog data feed from ClearPass
Installing the ClearPass Splunk App on Splunk
Note: The steps described in this section were tested on Splunk 6.1.1. Installing the Clear Pass Splunk App consists of:
- Uploading the ClearPass Splunk App package from your computer into Splunk. Download the latest ClearPass Splunk App package from https://arubapedia.arubanetworks.com/arubapedia/index.php/ClearPass_Splunk_Application.
- Restarting your Splunk server
Uploading the ClearPass Splunk App package
- Navigate to Apps >> Manage Apps. Click on the Install app from file button.
- From the Upload app page, click on Choose File. Locate the file ClearPassOnSplunk_1.2.tar.gz (assuming the version of the ClearPass Splunk app is 1.2), on your computer and select it. Click the Upload button.
- Note: If you are upgrading your ClearPass Splunk app to a later version, select the checkbox labeled Upgrade app.
- Note: If the version of app is different from 1.2, locate and select the appropriate file.
- Restart Splunk to complete the install. Click on the Restart Splunk button.
- After restarting and logging in to Splunk again, the ClearPass Splunk App will appear in the Splunk Home page. Verify that the Splunk Data inputs have been successfully imported from Settings >> Data >> Data Input >> TCP.
No special licenses are required.