Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Ingress Event Engine Testing

This thread has been viewed 3 times

  • 1.  ClearPass Ingress Event Engine Testing

    Posted Dec 23, 2017 05:37 PM

    Ciao,

    I'm trying to create a new simple Ingress Events Dictionary without success. I attached my example. I'd like map IP and userID coming from syslog but the event generates is blank.

    Thanks

    Attachment(s)

    txt
    PAN-USERID.txt   2 KB 1 version


  • 2.  RE: ClearPass Ingress Event Engine Testing

    EMPLOYEE
    Posted Dec 23, 2017 06:41 PM
    Did you build a dictionary and map it to the event source?


  • 3.  RE: ClearPass Ingress Event Engine Testing

    Posted Dec 24, 2017 08:57 AM

    Yes I did.

    I started with a configuration worked (PAN FW sends threat log and CPPM uses CoA to change authorization). What I did has been:

    - Modify the dictionary in order to match a new syslog event;

    - Associated  the nre dictionary just created in Configuration--Network-Event Sources

    - Generare new syslog event and testing.

     

    For troubleshooting I checked .pcap and igesyslog.log the format of syslog event. It seem ok

    I check my matching rule in dictionary with http://grokconstructor.appspot.com/do/match. It seem ok

    What I've not able to do is troubleshooting regarding parsing of syslog.