Aruba ClearPass (syslog)

Configure ClearPass Policy Manager to forward syslog logs to Radiant Security.

In this guide, you will set up a trusted relationship between Radiant and your Aruba ClearPass account to forward logs to Radiant Security via a syslog forwarder.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Aruba ClearPass (syslog) option and click Data Feeds.

  4. Under Select your data feeds, select Aruba ClearPass (syslog) and click Credentials.

  5. Under Credential Name, give the credential an identifiable name (e.g. Aruba ClearPass Credentials) then, click Credentials.

  6. Under Required Credentials, enter a value for the Connector Tag. This can be any string you want.

  7. Click Add Connector to save the changes.

  8. Copy and save the connector Token value using the clipboard option or use the Download File option to save it as a SSL certificate or token file. You will need this token to complete the configuration.

  9. Click Done to save your changes.

Configure a Radiant Agent for log collection

Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs.

Adding a syslog target on Aruba ClearPass

  1. Access the Aruba ClearPass console.

  2. Navigate to Administration > External Servers > Syslog Targets.

  3. Click Add.

  4. Enter the following parameters:

    1. Host Address: <syslog_collector_internal_address>

    2. Description: Radiant Security On-Prem Syslog Forwarder

    3. Protocol: UDP

    4. Server Port: 514

  5. Click Save.

Configure log forwarding on Aruba ClearPass

  1. Access the Aruba ClearPass console.

  2. Navigate to Administration > External Servers > Syslog Export Filters.

  3. Click Add.

  4. Enter the following parameters:

    1. Name: Radiant Security Session Logs - Logged in users

    2. Description: Radiant Security Syslog Forwarder

    3. Export Template: Session Logs

    4. Export Event Format Type: CEF

    5. ClearPass Servers: Leave it blank

  5. Click the Filter and Columns tab and configure the following:

    1. Data Filter: [All Requests]

    2. Columns Selection: Select one of the Predefined Field Group values from the table below:

    Export Template
    Predefined Field Group

    Session Logs

    Failed Authentications

    Session Logs

    Guest Access

    Session Logs

    Logged in users

    Session Logs

    RADIUS Accounting

    Session Logs

    TACACS+ Accounting

    Insight Logs

    Endpoints

    Insight Logs

    ClearPass Guest

    Insight Logs

    Onboard Enrollment

    Insight Logs

    RADIUS Authentications

    Insight Logs

    RADIUS Failed Authentications

    Insight Logs

    TACACS Authentication

    Insight Logs

    TACACS Failed Authentication

    Insight Logs

    WEBAUTH Failed Authentications

    Insight Logs

    WEBAUTH

    Insight Logs

    Application Authentication

    Insight Logs

    Posture Antivirus Summary

    Insight Logs

    Posture Antispyware Summary

    Insight Logs

    Posture DiskEncryption Summary

    Insight Logs

    Posture Summary

  6. Click Save.

  7. Repeat steps 3 and 4 for all the Export Templates and Predefined Field Group from the table.

  8. Each Syslog Export Filter can only support one export template and one predefined group. The final result should look like this:

PreviousADAudit PlusNextAvanan Checkpoint Webhook

Last updated