Skip to main content
Skip table of contents

Syslog - Aruba Clear Pass

Device Details

Device NameAruba Clear Pass

Vendor

Aruba

Device Type

Policy Management Platform

Supported Model Name/Number

N/A

Supported Software Version(s)

N/A

Collection Method

Syslog

Configurable Log Output?

N/A

Log Source Type

Syslog – Aruba Clear Pass

Log Processing Policy

LogRhythm Default

Exceptions

N/A

Additional Information

Adding a Syslog Target – Aruba

https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogTargets.html#addSylogTarget1058

Adding a Syslog Export Filter – Aruba

https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm

Prerequisites

  • Access to Aruba Clear Pass platform.
  • Port 514 TCP/UDP allowed from Aruba Clear Pass to LogRhythm System Monitor Agent.
  • Port 514 TCP/UDP allowed on LogRhythm System Monitor Agent to receive syslog packets from Aruba Clear Pass.
  • LogRhythm Global Admins or Restricted Admins with elevated View and Manage privileges.

Configure Aruba Clear Pass

Add a Syslog Target

To add a syslog target:

  1. Click Administration, and then External Servers.
  2. Click Syslog Targets.
    The Syslog Targets page opens.
  3. Click Add.
    The Add Syslog Target dialog opens.

  4. Specify the following Add Syslog Target parameters:

    ParameterDescription
    Host AddressEnter the syslog server hostname or IP address.
    DescriptionEnter a short description of the syslog server.
    ProtocolSelect either TCP or UDP.
    Server PortThe default port number is 514.
  5. Click Save.
    The new Syslog Target is added to the list.

Add a Syslog Export Filter

To add a syslog export filter:

  1. Click Administration, and then External Servers. 
  2. Click Syslog Export Filters.
  3. Click Add.
    The Add Syslog Filters page opens to the General tab.

  4. Specify the following:

    ParameterDescription
    Name

    Name of the syslog export filter.

    DescriptionEnter a short description for the syslog export filter.
    Export Event Format TypeSelect Standard to use the default event format.
    Syslog ServersDefine the receivers of syslog messages using the Select to Add drop-list.
  5. Click Save.

Configure LogRhythm

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take these actions.

Confirm the Syslog Server is Enabled

  1. In the Client Console on the main toolbar, click Deployment Manager.
  2. Click the System Monitors tab.
  3. Double-click the System Monitor Agent that collects the logs.
    The System Monitor Agent Properties dialog box appears.
  4. Click the Syslog and Flow Settings tab.
  5. Click the Enable Syslog Server check box.
  6. Click OK.

Restart the LogRhythm System Monitor Service

  1. On the System Monitor Agent host, right-click the Windows Start menu, and then click Run.
    The Run dialog box appears.
  2. In the Open field, enter services.msc, and then click OK.
    The Services console appears.
  3. Right-click LogRhythm System Monitor Service, and then click Restart.

Verify the System Monitor Agent is Connected

After restarting the LogRhythm System Monitor Service, you need to verify that the Agent is listening for the TCP/UDP connection on default port 514.

  1. On the System Monitor Agent host, right-click the Windows Start menu, and then click Command Prompt.
    The Command Prompt dialog box appears.

  2. Execute the following command:

    POWERSHELL 
    netstat -ano | findstr :514

    Example of expected output:



Ensure that the firewall on the Agent machine is allowing the incoming connection over TCP/UDP on port 514.

Configure LogRhythm to Collect Logs

Resolve Log Source Hosts

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Sources tab.
  3. In the New Log Sources grid, select the Action check box of the Syslog – Aruba Clear Pass log source.
  4. Right-click the selection, click Actions, and then click Resolve Log Source Hosts.
    The Resolve Known Hosts Complete dialog box appears.
  5. Click OK.

Confirm Log Source Acceptance Properties

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Sources tab.
  3. In the New Log Sources grid, select the Action check box of the Syslog – Aruba Clear Pass log source.
  4. Right-click the selection, and then click Properties.
    The Log Source Acceptance Properties dialog box appears.
  5. Confirm the Device IP Address matches the IP address of the Aruba Clear Pass device.
  6. (Optional) Change the Log Source Name, if desired.
  7. To the right of the Log Source Type field, click the ... selector.
    The Log Source Type Selector dialog box appears.
  8. In the Text Filter field, enter Syslog – Aruba Clear Pass, and then click Apply.
  9. In the Log Source Type section, click System : Syslog - Aruba Clear Pass, and then click OK.
    The Log Source Acceptance Properties dialog box appears.
  10. Click the field under MPE Policy, and then click LogRhythm Default.
  11. Click OK

Accept the New Log Source 

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Sources tab.
  3. In the New Log Sources grid, select the Action check box of the Syslog – Aruba Clear Pass.
  4. Right-click the selection, click Actions, click Accept, and then click Defaults.
    The Accept Successful dialog box appears.
  5. Click OK.
    The Syslog – Aruba Clear Pass Log source moves from the New Log Sources list to the existing list in at the bottom of the screen.

Tail the Log Source

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Sources tab.
  3. In the grid below the New Log Sources grid, select the Action check box of the Syslog – Aruba Clear Pass log source.
  4. Right-click the selection, click Actions, and then click Tail Log Source(s).


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close