Security

We're using Syslog Export Filters to keep track of user login attempts in order to build an Access Tracker-like tool that also interfaces with some of our other systems. The tool is up and running and works pretty well but unfortunately ClearPass seems to hold requests for about 2 minutes before sending them all in a large batch. 

Is there any way to change how often it sends the requests? It would be beneficial if our tool could be updated more frequently.

Thanks!

This is a limitation of the batching today of the syslog export, its not real-time. We have had a number of conversations to reduce the batch window but no immediate plans.

Hi Danny,

Thank you for the quick response even though it's not the answer I was hoping to get. Is there any other way of retrieving login attempts from CPPM? And what is keeping Aruba from making the batching window configurable? 

Thanks!

Authentication logging goes through the database, which facilitates centralized logging in cluster environments, however makes real-time syslog events somewhat challenging and requires fundamental changes in the way how logging is implemented. The log viewer in the product is real-time.

Please ask your partner, or if you are a partner to go to the idea portal in the Partner Center to add your specific requirements to the idea with the name: "ClearPass sent all events to external syslog immediately".