Security

Hi,

 

I ran into something yesterday, and wanted to pick a few brains about it.  The sample SQL code for the syslog export filter in clearpass 6.3 has code along these lines:

 

select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp <= --END-TIME--))

 

While testing, I bumped into a duplicate record in my syslog data.  My guess is that the record was cut EXACTLY at --END-TIME-- of one of the intervals.  Assuming clearpass iterates through the logs by setting the next START-TIME to the previous END-TIME, the example select logic is flawed, in that it's using ">=" and "<=", meaning that a timestamp right on the edge would be picked up twice.

 

I'm considering modifying my code custom export filter as follows:

 

select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp < --END-TIME--))

 

(note removing the "=" on the end time test.)

 

Does this make sense, or am I barking up the wrong tree because Clearpass makes sure that END-TIME will never match the next START-TIME somehow, or that the START and END times will NEVER match a timestamp in the database?  If this does seem legit, then perhaps Clearpass should amend the sample SQL when you hit the link it offers.

 

Mike

Cornell University

Mike,

 

We did have some duplicate syslog message issues in 6.3. This was fixed in the 6.4 code.

 

Look in the release note for #23735, hopefully this is your problem.

The key with the SQL used to generate syslog is to ensure that you don't generate multiple rows as a result of not specifying the inner table joins properly. This can generate multiples, let alone duplicates. Regards Chris