You can use filters to select the data sent from the Log server to the Syslog server. First add a Syslog Filter as described below. You can then export and apply the Syslog filters separately to different kinds of logs.
To add a syslog export filter:
1. | Navigate to | > > .
2. | From the | page, click .
The
page opens to the tab.Figure 1 Add Syslog Export Filters Page > General Tab
|
tab shown in the figure above is only visible if you select or as the export template. For more information, see |
The following table describes the
> tab parameters:
Parameter |
Action/Description |
Name |
Enter the name of the syslog export filter. |
Description |
Enter the description that provides additional information about the syslog export filter (recommended). |
Export Template |
Select any one of the templates from the following options:
If you select or , the tab is enabled. For more information, see Filter and Columns Tab. |
Export Event Format Type |
Select any one of the export event formats from the following options: : Select this event format type to send the event types in raw syslog format. This is the default event format type. : Select this event format type to send the event types in Log Enhanced Event Format (LEEF). : Select this event format type to send the event types in Common Event Format (CEF). In Syslog Targets, CEF-format field mappings map as many fields as possible for each template. Each template has unique mappings to customstrings, devicecustomdates, and devicecustomnumbers. For sample event format types, see Export Event Format Types—Examples. |
Syslog Servers |
Syslog servers define the receivers of syslog messages sent by servers in the ClearPass cluster. To add a ClearPass syslog server, select it from the drop-down list. To add a new ClearPass syslog server, click the link (for more information, see Adding a Syslog Target). To view details about a syslog server, select the syslog server, then click View Details. To change details about a syslog server, select the syslog server, then click Modify. For more information, see Adding a Syslog Target. To remove a syslog server (from receiving syslog messages), select the syslog server, then click Remove. |
ClearPass Servers |
You can designate syslog messages to be sent from exactly one server in the ClearPass cluster or from all of them. To add a ClearPass server, select it from the drop-down list. To remove the ClearPass server, select the ClearPass server, then click Remove. When no servers are listed, syslog messages are sent from all servers in the cluster. |
This section provides several examples of Standard, LEEF, and CEF event format types for the syslog export filter templates.
The following example describes the Standard event format type for the
syslog export filter template:Mar 20 21:18:56 10.17.5.228 2017-01-19 21:19:50,118 10.17.5.228 Audit Logs 96 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=clusteradmin,Category=Endpoint,Action=ADD,EntityName=34a39527afc0,src=10.17.5.228,Timestamp=Jan 19, 2017 21:18:54 IST
Mar 20 21:20:56 10.17.5.228 2017-01-19 21:21:50,111 10.17.5.228 Audit Logs 97 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=admin,Category=Cluster-wide Parameter,Action=MODIFY,EntityName=Endpoint Context Servers polling interval,src=10.17.5.228,Timestamp=Jan 19, 2017 21:20:22 IST
Mar 21 09:28:59 10.17.5.228 2017-01-20 09:29:54,3 10.17.5.228 Audit Logs 99 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=admin,Category=Network Device,Action=REMOVE,EntityName=1.1.1.1,src=10.17.5.228,Timestamp=Jan 20, 2017 09:29:13 IST
The following example describes the Standard event format type for the
syslog export filter template:Mar 21 16:46:29 10.17.5.228 2017-01-20 16:47:23,880 10.17.5.228 System Events 0 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=User: arubasupport\nClient IP Address: 10.20.23.178,Category=Logged in,Action=None,Level=INFO,src=10.17.5.228,Component=Support Shell,Timestamp=Jan 20, 2015 16:45:59 IST
Mar 21 16:49:10 10.17.5.228 2017-01-20 16:50:05,210 10.17.5.228 System Events 1 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description='Failed to start ClearPass Virtual IP service',Category=start,Action=Failed,Level=WARN,src=10.17.5.228,Component=ClearPass Virtual IP service,Timestamp=Jan 20, 2017 16:48:53 IST
2015-01-20 16:50:05,210 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.syslog.Syslogger - 2017-01-20 16:50:05,210 10.17.5.228 System Events 2 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=Performed action stop on cpass-domain-server_CPATS,Category=stop,Action=Success,Level=INFO,src=10.17.5.228,Component=cpass-domain-server_CPATS,Timestamp=Jan 20, 2017 16:48:57 IST
2015-01-20 16:50:05,211 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.syslog.Syslogger - 2017-01-20 16:50:05,211 10.17.5.228 System Events 3 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=Performed action start on cpass-domain-server_CPATS,Category=start,Action=Success,Level=INFO,src=10.17.5.228,Component=cpass-domain-server_CPATS,Timestamp=Jan 20, 2017 16:49:00 IST
The following example describes the Standard event format type for the
syslog export filter template:Mar 21 16:31:49 10.17.5.211 2015-01-20 16:32:41,552 10.17.5.211 Radius Session Logs 4 1 0 Common.NAS-IP-Address=10.17.4.7,RADIUS.Acct-Delay-Time=null,RADIUS.Acct-Framed-IP-Address=null,RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com,RADIUS.Acct-Timestamp=null,RADIUS.Acct-Authentic=null,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Host-MAC-Address=58a2b5d05ac9,RADIUS.Acct-Termination-Cause=null,RADIUS.Acct-Service-Name=null,RADIUS.Acct-Session-Time=null,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,RADIUS.Acct-NAS-Port=null,Common.Username=test1,RADIUS.Acct-Session-Id=null,RADIUS.Acct-Called-Station-Id=null,RADIUS.Acct-NAS-Port-Type=null,src=10.17.5.211,RADIUS.Acct-NAS-IP-Address=null,Common.Service=Test Post Authentication Rules,RADIUS.Acct-Input-Pkts=null,RADIUS.Acct-Status-Type=null,RADIUS.Acct-Calling-Station-Id=null,Common.Request-Timestamp=2015-01-20 16:31:46+05:30,RADIUS.Acct-Output-Pkts=null,RADIUS.Acct-Output-Octets=null,RADIUS.Acct-Username=null,RADIUS.Acct-Input-Octets=null
Mar 21 16:31:49 10.17.5.211 2015-01-20 16:32:41,550 10.17.5.211 Radius Session Logs 3 2 0 Common.NAS-IP-Address=10.17.4.7,RADIUS.Acct-Delay-Time=0,RADIUS.Acct-Framed-IP-Address=10.17.4.148,RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com,RADIUS.Acct-Timestamp=2015-01-20 16:31:50+05:30,RADIUS.Acct-Authentic=RADIUS,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Host-MAC-Address=e0f8471a5450,RADIUS.Acct-Termination-Cause=null,RADIUS.Acct-Service-Name=null,RADIUS.Acct-Session-Time=null,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,RADIUS.Acct-NAS-Port=0,Common.Username=test1,RADIUS.Acct-Session-Id=test1E0F8471A5450-54BE336C,RADIUS.Acct-Called-Station-Id=000B8661CD70,RADIUS.Acct-NAS-Port-Type=Wireless-802.11,src=10.17.5.211,RADIUS.Acct-NAS-IP-Address=10.17.4.7,Common.Service=Test Post Authentication Rules,RADIUS.Acct-Input-Pkts=null,RADIUS.Acct-Status-Type=Start,RADIUS.Acct-Calling-Station-Id=E0F8471A5450,Common.Request-Timestamp=2015-01-20 16:31:45+05:30,RADIUS.Acct-Output-Pkts=null
Mar 21 16:35:58 10.17.5.228 2015-01-20 16:36:52,346 10.17.5.228 Tacacs authetnications 2 1 0 TACACS.Request-Type=TACACS_AUTHORIZATION,TACACS.Enforcement-Profiles=[TACACS Super Admin],TACACS.Acct-Flags=null,TACACS.Authen-Service=AUTHEN_SVC_NONE,TACACS.Acct-Session-Id=null,TACACS.Remote-Address=10.20.23.178,Common.Request-Timestamp=2015-01-20 16:34:54.647+05:30,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,TACACS.Authen-Action=,TACACS.Authen-Method=AUTHEN_METH_TACACSPLUS,Common.Username=a,TACACS.Authen-Type=AUTHEN_TYPE_PAP,TACACS.Auth-Source=[Local User Repository],src=10.17.5.228,TACACS.Privilege-Level=1,Common.Service=[Policy Manager Admin Network Login Service]
Mar 21 16:35:58 10.17.5.228 2017-01-20 16:36:52,346 10.17.5.228 Tacacs authetnications 3 1 0 TACACS.Request-Type=TACACS_AUTHENTICATION,TACACS.Enforcement-Profiles=[TACACS Super Admin],TACACS.Acct-Flags=null,TACACS.Authen-Service=AUTHEN_SVC_NONE,TACACS.Acct-Session-Id=null,TACACS.Remote-Address=10.20.23.178,Common.Request-Timestamp=2017-01-20 16:34:54.647+05:30,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,TACACS.Authen-Action=AUTHEN_ACTION_LOGIN,TACACS.Authen-Method=AUTHEN_METH_TACACSPLUS,Common.Username=a,TACACS.Authen-Type=AUTHEN_TYPE_PAP,TACACS.Auth-Source=[Local User Repository],src=10.17.5.228,TACACS.Privilege-Level=1,Common.Service=[Policy Manager Admin Network Login Service]
The following example describes the LEEF event format type for the
syslog export filter template:Dec 03 2017 16:50:44.085 IST 10.17.4.208 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.69058|0-1-0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:48:41+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS z Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600
The following example describes the CEF event format type for the
syslog export filter template:Dec 03 2017 16:31:28.861 IST 10.17.4.208 CEF:0|Aruba Networks|ClearPass|6.5.0.69058|0-1-0|Insight Logs|0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:28:20+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600
The following example describes the CEF event format type for the
syslog export filter template:Nov 19 2017 18:22:40.700 IST 10.17.4.221 CEF:0|Aruba Networks|ClearPass|6.5.0.68754|13-1-0|Audit Records|5|cat=Role timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz rt=Nov 19, 2014 18:21:13 IST src=Test Role 10 act=ADD usrName=admin
The following example describes the LEEF event format type for the
syslog export filter template:Nov 19 2017 14:31:10.422 IST 10.17.4.221 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.68754|0-1-0|cat=Syslog Export Data devTime=Nov 19, 2014 14:30:35 IST action=ADD src=Audit Events - LEEF usrName=admin devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z
The following example describes the LEEF event format type for the
syslog export filter template:Dec 02 2017 20:38:40.901 IST 10.17.4.206 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.68878|295-1-0|cat=start devTime=Dec 02, 2014 20:38:12 IST level=WARN description='Failed to start ClearPass Virtual IP service' action=Failed src=ClearPass Virtual IP service devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z
The following example describes the CEF event format type for the
syslog export filter template:Dec 01 2017 15:28:40.540 IST 10.17.4.206 CEF:0Aruba Networks|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IP-Address=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=3155 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R00001316-01-547c3b5a RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=578470212 RADIUS.Acct-Username=A_user2 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=786315664
The following example describes the LEEF event format type for the
syslog export filter template:Dec 02 2017 15:35:14.944 IST 10.17.4.206 LEEF:1.0Aruba Networks|ClearPass|6.5.0.68878|1309854-1-0|RADIUS.Acct-Calling-Station-Id=00:88:57:2d:12:a4 RADIUS.Acct-Framed-IP-Address=192.167.203.170 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2017-12-02 15:32:47+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=565 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS z RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R000a5038-01-547d8e47 RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=412895267 RADIUS.Acct-Username=A_user706 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=665942581