Security

Hi dear Airheads,

I recently tried to pass ALL syslog messages from clearpass to a central syslog server, but I had my difficulties to adjust my Syslog Export Filters.

For me it is plausible to make 5 separate entries for the export templates (session logs, Audit records, insight record, system events).

From that point on I focused on the session log export template...

There is also the "Filter and Columns"-tab where one can filter the data sent to the syslog.

What I don't get: What is the best configuration of "Data Filter"-setting and Column-Selection to get all session logs?

For example the data filter "RADIUS Requests"... What is the most correct setting for the column selection?!

If you have guidance on that topic please enlighten me because this is confusing as hell to me.

BR

Michael

Hi Michael

The columns you choose is really dependent on your use case, and what data you wish to store.

If i was to want everything, typically all the common columns being selected and the default RADIUS filter, gives more than enough information. Referring to your email, if i was focusing on RADIUS, i personally would only put in the information i found useful, such as:

Common.Username, Common.Login-Status, Common.Service, Common.Roles, Common.Enforcement-Profiles, Common.Request-Timestamp, Common.NAS-IP-Address, Common.Error-Code, Common.Alerts

For the Data Filter itself, i would use the default RADIUS one, and not make any changes to it.

The above gives me basically an access tracker replica which is more than sufficient for historical logging. Active logging and troubleshooting you would be using the access tracker itself.

I hope this helped. If you have a specific use case, or data you wish to capture which isn't already captured above, let me know and i can assist you with finding it.