Security

We operate several ClearPass systems used for TACACS+ authentication of routers and switches and for logging all accounting actions performed on those   routers and switches.

ClearPass is currently running on OS version 6.10.7

- The accounting logging is available, but it seems that these accounting logs are only kept for max. one week on ClearPass.
so if we would like to see logging of actions performed on routers and switches that were done more than a week ago, we don't have that information anymore.

question 1: is it true that accounting logging is only stored for max. 1 week on ClearPass?
question 2: is there a way that we change the settings so that this kind of logging is kept for a longer period on ClearPass? And if so, how can this be done?
question 3: is there a way to export accounting logging info from ClearPass to external system so that it can be stored there? And if so, how can this be done?

Please let me know,

kind regards,

Frank Scheper

Hi Frank

The default value of how long ClearPass store information is one week. You can change this in the Cluster-Wide Parameters under the Cleanup Intervals tab.

Maximum for Session log information is 15 days.

To be able to store the data for a longer time you can generate reports with the information in Insight or export it with Syslog to a separate server.
With Insight you can configure the reports to be sent to specified email addresses or copied to SCP server in addition to have the reports in Insight.
Configuration of Syslog is done under Administration\External Server\Syslog Targets where you first define your Syslog server(s).
Under Administration\External Server\Syslog Export Filters you define what to send to the Syslog server and in what format.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Dec 01, 2022 03:23 AM
From: Frank Scheper
Subject: ClearPass accounting logging: how long is this kept on system and how to export to external logging depository

We operate several ClearPass systems used for TACACS+ authentication of routers and switches and for logging all accounting actions performed on those   routers and switches.

ClearPass is currently running on OS version 6.10.7

- The accounting logging is available, but it seems that these accounting logs are only kept for max. one week on ClearPass.
so if we would like to see logging of actions performed on routers and switches that were done more than a week ago, we don't have that information anymore.

question 1: is it true that accounting logging is only stored for max. 1 week on ClearPass?
question 2: is there a way that we change the settings so that this kind of logging is kept for a longer period on ClearPass? And if so, how can this be done?
question 3: is there a way to export accounting logging info from ClearPass to external system so that it can be stored there? And if so, how can this be done?

Please let me know,

kind regards,

Frank Scheper

for question 1&2, you should be able to increase the value to 15  days that is the max value.


​​for Q3, you could use "syslog export filters"



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 01, 2022 03:23 AM
From: Frank Scheper
Subject: ClearPass accounting logging: how long is this kept on system and how to export to external logging depository

We operate several ClearPass systems used for TACACS+ authentication of routers and switches and for logging all accounting actions performed on those   routers and switches.

ClearPass is currently running on OS version 6.10.7

- The accounting logging is available, but it seems that these accounting logs are only kept for max. one week on ClearPass.
so if we would like to see logging of actions performed on routers and switches that were done more than a week ago, we don't have that information anymore.

question 1: is it true that accounting logging is only stored for max. 1 week on ClearPass?
question 2: is there a way that we change the settings so that this kind of logging is kept for a longer period on ClearPass? And if so, how can this be done?
question 3: is there a way to export accounting logging info from ClearPass to external system so that it can be stored there? And if so, how can this be done?

Please let me know,

kind regards,

Frank Scheper