Adding a Syslog Export Filter

You can use filters to select the data sent from the Log server to the Syslog server. First add a Syslog Filter as described below. You can then export and apply the Syslog filters separately to different kinds of logs.

To add a syslog export filter:

1. Navigate to Administration > External Servers > Syslog Export Filters.
2. From the Syslog Export Filters page, click Add.

The Add Syslog Filters page opens to the General tab.

Figure 1  Add Syslog Export Filters Page > General Tab

 

The Filter and Columns tab shown in the figure above is only visible if you select Insight Logs or Session Logs as the export template. For more information, see Filter and Columns Tab.

The following table describes the Add Syslog Export Filters > General tab parameters:

Table 1: Add Syslog Export Filters > General Tab Parameters

Parameter

Action/Description

Name

Enter the name of the syslog export filter.

Description

Enter the description that provides additional information about the syslog export filter (recommended).

Export Template

Select any one of the templates from the following options:

Audit Records

Insight Logs

Session Logs

System Events

NOTE: If you select Insight Logs or Session Logs, the Filter and Columns tab is enabled. For more information, see Filter and Columns Tab.

Export Event Format Type

Select any one of the export event formats from the following options:

Standard: Select this event format type to send the event types in raw syslog format. This is the default event format type.

LEEF: Select this event format type to send the event types in Log Enhanced Event Format (LEEF).

CEF: Select this event format type to send the event types in Common Event Format (CEF).

In Syslog Targets, CEF-format field mappings map as many fields as possible for each template. Each template has unique mappings to customstrings, devicecustomdates, and devicecustomnumbers.

For sample event format types, see Export Event Format Types—Examples.

Syslog Servers

Syslog servers define the receivers of syslog messages sent by servers in the ClearPass cluster.

To add a ClearPass syslog server, select it from the Select to Add drop-down list.

To add a new ClearPass syslog server, click the Add New Syslog Target link (for more information, see Adding a Syslog Target).

To view details about a syslog server, select the syslog server, then click View Details.

To change details about a syslog server, select the syslog server, then click Modify. For more information, see Adding a Syslog Target.

To remove a syslog server (from receiving syslog messages), select the syslog server, then click Remove.

ClearPass Servers

You can designate syslog messages to be sent from exactly one server in the ClearPass cluster or from all of them.

To add a ClearPass server, select it from the Select to Add drop-down list.

To remove the ClearPass server, select the ClearPass server, then click Remove.

NOTE: When no servers are listed, syslog messages are sent from all servers in the cluster.

Export Event Format Types—Examples

This section provides several examples of Standard, LEEF, and CEF event format types for the syslog export filter templates.

Standard Event Format Type > Audit Events

The following example describes the Standard event format type for the Audit Events syslog export filter template:

Mar 20 21:18:56 10.17.5.228 2017-01-19 21:19:50,118 10.17.5.228 Audit Logs 96 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=clusteradmin,Category=Endpoint,Action=ADD,EntityName=34a39527afc0,src=10.17.5.228,Timestamp=Jan 19, 2017 21:18:54 IST

Mar 20 21:20:56 10.17.5.228 2017-01-19 21:21:50,111 10.17.5.228 Audit Logs 97 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=admin,Category=Cluster-wide Parameter,Action=MODIFY,EntityName=Endpoint Context Servers polling interval,src=10.17.5.228,Timestamp=Jan 19, 2017 21:20:22 IST

Mar 21 09:28:59 10.17.5.228 2017-01-20 09:29:54,3 10.17.5.228 Audit Logs 99 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=admin,Category=Network Device,Action=REMOVE,EntityName=1.1.1.1,src=10.17.5.228,Timestamp=Jan 20, 2017 09:29:13 IST

Standard Event Format Type > System Events

The following example describes the Standard event format type for the System Events syslog export filter template:

Mar 21 16:46:29 10.17.5.228 2017-01-20 16:47:23,880 10.17.5.228 System Events 0 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=User: arubasupport\nClient IP Address: 10.20.23.178,Category=Logged in,Action=None,Level=INFO,src=10.17.5.228,Component=Support Shell,Timestamp=Jan 20, 2015 16:45:59 IST

Mar 21 16:49:10 10.17.5.228 2017-01-20 16:50:05,210 10.17.5.228 System Events 1 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description='Failed to start ClearPass Virtual IP service',Category=start,Action=Failed,Level=WARN,src=10.17.5.228,Component=ClearPass Virtual IP service,Timestamp=Jan 20, 2017 16:48:53 IST

2015-01-20 16:50:05,210 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.syslog.Syslogger - 2017-01-20 16:50:05,210 10.17.5.228 System Events 2 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=Performed action stop on cpass-domain-server_CPATS,Category=stop,Action=Success,Level=INFO,src=10.17.5.228,Component=cpass-domain-server_CPATS,Timestamp=Jan 20, 2017 16:48:57 IST

2015-01-20 16:50:05,211 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.syslog.Syslogger - 2017-01-20 16:50:05,211 10.17.5.228 System Events 3 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=Performed action start on cpass-domain-server_CPATS,Category=start,Action=Success,Level=INFO,src=10.17.5.228,Component=cpass-domain-server_CPATS,Timestamp=Jan 20, 2017 16:49:00 IST

Standard Event Format Type > Session Events

The following example describes the Standard event format type for the Session Events syslog export filter template:

Mar 21 16:31:49 10.17.5.211 2015-01-20 16:32:41,552 10.17.5.211 Radius Session Logs 4 1 0 Common.NAS-IP-Address=10.17.4.7,RADIUS.Acct-Delay-Time=null,RADIUS.Acct-Framed-IP-Address=null,RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com,RADIUS.Acct-Timestamp=null,RADIUS.Acct-Authentic=null,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Host-MAC-Address=58a2b5d05ac9,RADIUS.Acct-Termination-Cause=null,RADIUS.Acct-Service-Name=null,RADIUS.Acct-Session-Time=null,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,RADIUS.Acct-NAS-Port=null,Common.Username=test1,RADIUS.Acct-Session-Id=null,RADIUS.Acct-Called-Station-Id=null,RADIUS.Acct-NAS-Port-Type=null,src=10.17.5.211,RADIUS.Acct-NAS-IP-Address=null,Common.Service=Test Post Authentication Rules,RADIUS.Acct-Input-Pkts=null,RADIUS.Acct-Status-Type=null,RADIUS.Acct-Calling-Station-Id=null,Common.Request-Timestamp=2015-01-20 16:31:46+05:30,RADIUS.Acct-Output-Pkts=null,RADIUS.Acct-Output-Octets=null,RADIUS.Acct-Username=null,RADIUS.Acct-Input-Octets=null

Mar 21 16:31:49 10.17.5.211 2015-01-20 16:32:41,550 10.17.5.211 Radius Session Logs 3 2 0 Common.NAS-IP-Address=10.17.4.7,RADIUS.Acct-Delay-Time=0,RADIUS.Acct-Framed-IP-Address=10.17.4.148,RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com,RADIUS.Acct-Timestamp=2015-01-20 16:31:50+05:30,RADIUS.Acct-Authentic=RADIUS,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Host-MAC-Address=e0f8471a5450,RADIUS.Acct-Termination-Cause=null,RADIUS.Acct-Service-Name=null,RADIUS.Acct-Session-Time=null,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,RADIUS.Acct-NAS-Port=0,Common.Username=test1,RADIUS.Acct-Session-Id=test1E0F8471A5450-54BE336C,RADIUS.Acct-Called-Station-Id=000B8661CD70,RADIUS.Acct-NAS-Port-Type=Wireless-802.11,src=10.17.5.211,RADIUS.Acct-NAS-IP-Address=10.17.4.7,Common.Service=Test Post Authentication Rules,RADIUS.Acct-Input-Pkts=null,RADIUS.Acct-Status-Type=Start,RADIUS.Acct-Calling-Station-Id=E0F8471A5450,Common.Request-Timestamp=2015-01-20 16:31:45+05:30,RADIUS.Acct-Output-Pkts=null

Mar 21 16:35:58 10.17.5.228 2015-01-20 16:36:52,346 10.17.5.228 Tacacs authetnications 2 1 0 TACACS.Request-Type=TACACS_AUTHORIZATION,TACACS.Enforcement-Profiles=[TACACS Super Admin],TACACS.Acct-Flags=null,TACACS.Authen-Service=AUTHEN_SVC_NONE,TACACS.Acct-Session-Id=null,TACACS.Remote-Address=10.20.23.178,Common.Request-Timestamp=2015-01-20 16:34:54.647+05:30,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,TACACS.Authen-Action=,TACACS.Authen-Method=AUTHEN_METH_TACACSPLUS,Common.Username=a,TACACS.Authen-Type=AUTHEN_TYPE_PAP,TACACS.Auth-Source=[Local User Repository],src=10.17.5.228,TACACS.Privilege-Level=1,Common.Service=[Policy Manager Admin Network Login Service]

Mar 21 16:35:58 10.17.5.228 2017-01-20 16:36:52,346 10.17.5.228 Tacacs authetnications 3 1 0 TACACS.Request-Type=TACACS_AUTHENTICATION,TACACS.Enforcement-Profiles=[TACACS Super Admin],TACACS.Acct-Flags=null,TACACS.Authen-Service=AUTHEN_SVC_NONE,TACACS.Acct-Session-Id=null,TACACS.Remote-Address=10.20.23.178,Common.Request-Timestamp=2017-01-20 16:34:54.647+05:30,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,TACACS.Authen-Action=AUTHEN_ACTION_LOGIN,TACACS.Authen-Method=AUTHEN_METH_TACACSPLUS,Common.Username=a,TACACS.Authen-Type=AUTHEN_TYPE_PAP,TACACS.Auth-Source=[Local User Repository],src=10.17.5.228,TACACS.Privilege-Level=1,Common.Service=[Policy Manager Admin Network Login Service]

LEEF Event Format Type > Insight Logs

The following example describes the LEEF event format type for the Insight Logs syslog export filter template:

Dec 03 2017 16:50:44.085 IST 10.17.4.208 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.69058|0-1-0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:48:41+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS z Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600

CEF Event Format Type > Insight Logs

The following example describes the CEF event format type for the Insight Logs syslog export filter template:

Dec 03 2017 16:31:28.861 IST 10.17.4.208 CEF:0|Aruba Networks|ClearPass|6.5.0.69058|0-1-0|Insight Logs|0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:28:20+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600

CEF Event Format Type > Audit Logs

The following example describes the CEF event format type for the Audit Logs syslog export filter template:

Nov 19 2017 18:22:40.700 IST 10.17.4.221 CEF:0|Aruba Networks|ClearPass|6.5.0.68754|13-1-0|Audit Records|5|cat=Role timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz rt=Nov 19, 2014 18:21:13 IST src=Test Role 10 act=ADD usrName=admin

LEEF Event Format Type > Audit Logs

The following example describes the LEEF event format type for the Audit Logs syslog export filter template:

Nov 19 2017 14:31:10.422 IST 10.17.4.221 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.68754|0-1-0|cat=Syslog Export Data devTime=Nov 19, 2014 14:30:35 IST action=ADD src=Audit Events - LEEF usrName=admin devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z

LEEF Event Format Type > System Events

The following example describes the LEEF event format type for the System Events syslog export filter template:

Dec 02 2017 20:38:40.901 IST 10.17.4.206 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.68878|295-1-0|cat=start devTime=Dec 02, 2014 20:38:12 IST level=WARN description='Failed to start ClearPass Virtual IP service' action=Failed src=ClearPass Virtual IP service devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z

CEF Event Format Type > Session Logs

The following example describes the CEF event format type for the Session Logs syslog export filter template:

Dec 01 2017 15:28:40.540 IST 10.17.4.206 CEF:0Aruba Networks|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IP-Address=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=3155 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R00001316-01-547c3b5a RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=578470212 RADIUS.Acct-Username=A_user2 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=786315664

LEEF Event Format Type > Session Logs

The following example describes the LEEF event format type for the Session Logs syslog export filter template:

Dec 02 2017 15:35:14.944 IST 10.17.4.206 LEEF:1.0Aruba Networks|ClearPass|6.5.0.68878|1309854-1-0|RADIUS.Acct-Calling-Station-Id=00:88:57:2d:12:a4 RADIUS.Acct-Framed-IP-Address=192.167.203.170 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2017-12-02 15:32:47+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=565 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS z RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R000a5038-01-547d8e47 RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=412895267 RADIUS.Acct-Username=A_user706 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=665942581