ClearPass Integration Guide For The Splunk Clearpass APP + HEC Extension
Uploaded by
Anh Hạ Nguyễn LêClearPass Integration Guide For The Splunk Clearpass APP + HEC Extension
Uploaded by
Anh Hạ Nguyễn LêClearPass and ClearPass and Splunk Integration
Splunk and the
Splunk HTTP Event
Collector
ClearPass Integration Guide
ClearPass and ClearPass and Splunk Integration
ClearPass and ClearPass and Splunk Integration
Change Log
Ver s ion Da te M o d i f ied B y Com m en t s
0.1 & 0.2 May/July 2014 Premraj Lourdraj/ Sohag Desai Initial Revision, Updates and Review
v2018-01 August 2018 Danny Jump First Published Version
v2020-01 September 2020 Chris Lembo Updated for Splunk 8 and Splunk Cloud and support of
Splunk HEC via ClearPass Extension
V2020-01 September 2020 Danny Jump Review of updated
V2020-02 October 2020 Chris Lembo Minor non-technical revisions
Copyright
© Copyright 2020 Hewlett Packard Enterprise Development LP.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or
certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is
available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the
date of the final distribution of this product version by Hewlett- Packard Company. To obtain such source code, send a check
or money order in the amount of US $10.00 to:
Hewlett-Packard Company
Attn: General Counsel
3000 Hanover Street
Palo Alto, CA 94304
USA
Please specify the product and version for which you are requesting source code. You may also request a copy of this source
code free of charge at [email protected].
ClearPass and ClearPass and Splunk Integration i
ClearPass and ClearPass and Splunk Integration
Contents
Introduction and Overview .......................................................................................................................................................... 1
Software Requirements ............................................................................................................................................................... 1
ClearPass Installation and Deployment Guide......................................................................................................................... 1
Splunk Installation and Deployment Guide ............................................................................................................................. 1
Pre-Requisites for the Integration ............................................................................................................................................... 2
ClearPass Extensions ............................................................................................................................................................... 2
ClearPass Extension Help ..................................................................................................................................................... 2
Access to the Extension Store.............................................................................................................................................. 3
Extensions and web proxy support ..................................................................................................................................... 3
Extensions and IP address configuration support ............................................................................................................... 3
ClearPass, Splunk and the ClearPass for Splunk App ................................................................................................................... 5
Types of Syslog ........................................................................................................................................................................ 5
Syslogs Based on ClearPass Internal Modules, RADIUS or Auth Services ................................................................................ 5
Syslogs Based on Session Logs, Audit Records and Event Records .......................................................................................... 6
Pictorial View of the Integration .............................................................................................................................................. 7
Install Splunk HEC Connector Extension ...................................................................................................................................... 8
Cluster Considerations ............................................................................................................................................................. 8
Installation ............................................................................................................................................................................... 8
Configuration ......................................................................................................................................................................... 10
Custom Endpoint Filter .......................................................................................................................................................... 11
endpointFilter – Compliance Equals NotAvailable ............................................................................................................ 13
endpointFilter – Source Exists ........................................................................................................................................... 14
Scheduling ............................................................................................................................................................................. 15
Configure ClearPass Policy Manager to Send Syslog Messages to Splunk ................................................................................ 16
Adding Splunk as a Syslog Target........................................................................................................................................... 16
Importing ClearPass Syslog Filters ......................................................................................................................................... 17
Configure Splunk to Receive Messages from ClearPass ............................................................................................................ 19
Create TCP/UDP Data Input ................................................................................................................................................... 19
HTTP Event Collector ............................................................................................................................................................. 21
Install Aruba ClearPass App for Splunk ...................................................................................................................................... 23
Configure Error Code to Error String Lookups ....................................................................................................................... 24
ClearPass Splunk App – Dashboard Elements ........................................................................................................................... 27
Overview ................................................................................................................................................................................ 27
Authentications ..................................................................................................................................................................... 28
Authentication Overview ................................................................................................................................................... 28
Authentication Trends ....................................................................................................................................................... 30
Failure by Error Types ........................................................................................................................................................ 32
Failure Distribution ............................................................................................................................................................ 35
Policy Enforcement ............................................................................................................................................................ 37
Endpoints ............................................................................................................................................................................... 39
Endpoint Categories .......................................................................................................................................................... 39
Endpoint Profiles ............................................................................................................................................................... 41
Endpoint Information ........................................................................................................................................................ 43
Sessions ................................................................................................................................................................................. 44
BandWidth Usage .............................................................................................................................................................. 44
Session Details ................................................................................................................................................................... 45
Comparison............................................................................................................................................................................ 48
Compare NAS Devices ....................................................................................................................................................... 48
ClearPass and ClearPass and Splunk Integration ii
ClearPass and ClearPass and Splunk Integration
Compare Servers ............................................................................................................................................................... 50
System ................................................................................................................................................................................... 51
Audit Records .................................................................................................................................................................... 51
ClearPass Licensing ............................................................................................................................................................ 52
System Events .................................................................................................................................................................... 54
System Monitor ................................................................................................................................................................. 55
Search .................................................................................................................................................................................... 57
Generic Query Dropdown .................................................................................................................................................. 57
Generic Query Textbox ...................................................................................................................................................... 59
Search ................................................................................................................................................................................ 61
Appendix A – Additional diagnostics / support ......................................................................................................................... 63
Checking on the Extension Service ........................................................................................................................................ 63
Extension Logs/Debugging .................................................................................................................................................... 64
Appendix B: Splunk HEC Connector Extension Troubleshooting ............................................................................................... 67
Invalid Authorization, code: 3 ................................................................................................................................................ 67
Socket Hang Up ..................................................................................................................................................................... 68
Extension Statistics Not Displaying ........................................................................................................................................ 69
Appendix C – Syslog Raw Data ................................................................................................................................................... 70
Failed Authentication Raw Data ............................................................................................................................................ 70
Successful Authentication Raw Data ..................................................................................................................................... 70
Event Log Raw Data ............................................................................................................................................................... 70
Audit Log Raw Data ............................................................................................................................................................... 70
Appendix D – Caveats ................................................................................................................................................................ 71
Appendix E – Validating ClearPass Events are Received by Splunk ........................................................................................... 72
ClearPass and ClearPass and Splunk Integration iii
Figures
Figure 1: Extension Framework GUI ................................................................................................................................................. 2
Figure 2: Accessing ClearPass Extension Help .................................................................................................................................. 2
Figure 3: Entering HPE Passport credentials ..................................................................................................................................... 3
Figure 4: Defining the base IP SUBNET for the Extensions Framework ............................................................................................ 4
Figure 5: Example of Syslogs based on internal ClearPass modules ................................................................................................. 5
Figure 6: Example of Syslog: Session Logs ........................................................................................................................................ 6
Figure 7: Example of Syslog: Audit Records ...................................................................................................................................... 6
Figure 8: Example of Syslog: Event Records ..................................................................................................................................... 6
Figure 9: Sample Component Interaction ......................................................................................................................................... 7
Figure 10: Extensions Framework GUI .............................................................................................................................................. 8
Figure 11: GUI Extension Search ....................................................................................................................................................... 8
Figure 12: GUI Extension Configuration at Install time ..................................................................................................................... 9
Figure 13: Splunk HEC Connector > Options ..................................................................................................................................... 9
Figure 14: GUI Reviewing and Setting the Extension configuration ............................................................................................... 10
Figure 15: Dictionary Attributes > Endpoints.................................................................................................................................. 11
Figure 16: ClearPass Guest > API Explorer ...................................................................................................................................... 12
Figure 17: Splunk HEC Connector > Endpoint Count Sent to Splunk .............................................................................................. 13
Figure 18: Splunk > Endpoint Information ...................................................................................................................................... 13
Figure 19: Splunk HEC Connector > Endpoint Count Sent to Splunk .............................................................................................. 14
Figure 20: Splunk > Endpoint Information ...................................................................................................................................... 14
Figure 21: Cron Job Reference ........................................................................................................................................................ 15
Figure 22: Adding Syslog Target to ClearPass ................................................................................................................................. 16
Figure 23: Download Syslog Target and Export Filter from Aruba Solution Exchange ................................................................... 17
Figure 24: Modify SyslogTarget information within XML import file .............................................................................................. 17
Figure 25: SyslogServerNameList information within XML import file ........................................................................................... 17
Figure 26: Import Syslog Export Filter XML file ............................................................................................................................... 18
Figure 27: List of Syslog Export Filters after Import ........................................................................................................................ 18
Figure 28: Accessing the Splunk Data Inputs Configuration Dialog ................................................................................................ 19
Figure 29: Adding a new Splunk UDP Data Input ............................................................................................................................ 19
Figure 30: Splunk UDP Data Input: Select Source Configuration .................................................................................................... 20
Figure 31: Splunk UDP Data Input: Input Settings Configuration ................................................................................................... 20
Figure 32: Splunk UDP Data Input: Review Settings ....................................................................................................................... 20
Figure 33: Splunk UDP Data Input: Successful Creation ................................................................................................................. 21
Figure 34: Splunk UDP Data Input: Check Enabled Status .............................................................................................................. 21
Figure 35: Accessing the Splunk Data Inputs Configuration Dialog ................................................................................................ 22
Figure 36: Adding a new Splunk HTTP Event Collector Data Input ................................................................................................. 22
Figure 37: Splunk HEC > Verify Token Value and Status ................................................................................................................. 22
Figure 38: Accessing the Splunk App Store ..................................................................................................................................... 23
Figure 39: Searching and selecting the Aruba ClearPass App for Splunk ........................................................................................ 23
Figure 40: Install Aruba ClearPass App for Splunk > Credentials .................................................................................................... 23
Figure 41: Install Aruba ClearPass App for Splunk > Installation Progress ...................................................................................... 24
Figure 42: Accessing Splunk Lookups Configuration ....................................................................................................................... 24
Figure 43: Splunk Lookups > Automatic Lookups ........................................................................................................................... 25
Figure 44: Splunk Lookups > Automatic Lookups > New Automatic Lookup .................................................................................. 25
Figure 45: Splunk Lookups > Automatic Lookups > New Automatic Lookup Configuration ........................................................... 25
Figure 46: Splunk Lookups > Automatic Lookups > Verify Status ................................................................................................... 26
Figure 47: Splunk Lookups > Verify Code Translations ................................................................................................................... 26
Figure 48: Overview Dashboard ..................................................................................................................................................... 27
Figure 49: Accessing the Authentication Overview Dashboard: ..................................................................................................... 28
Figure 50: Authentications > Authentication Overview Dashboard: .............................................................................................. 29
Figure 51: Accessing the Authentication Trends Dashboard: ......................................................................................................... 30
Figure 52: Authentications > Authentication Trends Dashboard ................................................................................................... 30
Figure 53: Accessing the Failure by Error Types Dashboard: .......................................................................................................... 32
Figure 54: Authentication > Failure by Error Types Dashboard ...................................................................................................... 32
Figure 55: Accessing the Failure Distribution Dashboard: .............................................................................................................. 35
ClearPass and Splunk Integration iv
Figure 56: Authentication > Failure Distribution Dashboard .......................................................................................................... 36
Figure 57: Accessing the Policy Enforcement Dashboard: .............................................................................................................. 37
Figure 58: Authentication > Policy Enforcement Dashboard .......................................................................................................... 38
Figure 59: Accessing the Endpoint Categories Dashboard: ............................................................................................................ 39
Figure 60: Endpoints > Endpoint Categories Dashboard ................................................................................................................ 40
Figure 61: Endpoints > Endpoint Categories Dashboard (filter options) ........................................................................................ 40
Figure 62: Accessing the Endpoint Profiles Dashboard: ................................................................................................................. 41
Figure 63: Endpoints > Endpoint Profiles Dashboard ..................................................................................................................... 42
Figure 64: Accessing the Endpoint Information Dashboard: .......................................................................................................... 43
Figure 65: Endpoints > Endpoint Information Dashboard .............................................................................................................. 43
Figure 66: Accessing the Bandwidth Usage Dashboard: ................................................................................................................. 44
Figure 67: Sessions > Bandwidth Usage Dashboard ....................................................................................................................... 44
Figure 68: Accessing the Session Details Dashboard: ..................................................................................................................... 45
Figure 69: Sessions > Session Details Dashboard ............................................................................................................................ 46
Figure 70: Accessing the Compare NAS Devices Dashboard:.......................................................................................................... 48
Figure 71: Comparison > Compare NAS Devices Dashboard .......................................................................................................... 48
Figure 72: Compare Servers Dashboard: ........................................................................................................................................ 50
Figure 73: Comparison > Compare Servers Dashboard .................................................................................................................. 50
Figure 74: Accessing the Audit Records Dashboard: ...................................................................................................................... 51
Figure 75: System > Audit Records Dashboard ............................................................................................................................... 51
Figure 76: Accessing the ClearPass Licensing Dashboard: .............................................................................................................. 52
Figure 77: System > ClearPass Licensing Dashboard ...................................................................................................................... 52
Figure 78: Accessing the System Events Dashboard: ...................................................................................................................... 54
Figure 79: System > System Events Dashboard .............................................................................................................................. 54
Figure 80: Accessing the System Monitor Dashboard: ................................................................................................................... 55
Figure 81: System > System Monitor Dashboard............................................................................................................................ 55
Figure 82: Accessing the Generic Query Dropdown Dashboard: .................................................................................................... 57
Figure 83: Search > Generic Query Dropdown Dashboard: ............................................................................................................ 57
Figure 84: Accessing the Generic Query Textbox Dashboard: ........................................................................................................ 59
Figure 85: Search > Generic Query Textbox Dashboard ................................................................................................................. 59
Figure 86: Accessing the Search Dashboard: ................................................................................................................................. 61
Figure 87: Search > Search Dashboard ........................................................................................................................................... 61
Figure 88: Services Control ............................................................................................................................................................. 63
Figure 89: Splunk HEC Connector > Changing the DEBUG level ..................................................................................................... 64
Figure 90: Splunk HEC Connector > Viewing DEBUG Logs .............................................................................................................. 64
Figure 91: Splunk HEC Connector > Enable Extension Statistics ..................................................................................................... 65
Figure 92: Splunk HEC Connector > Show Extension Details .......................................................................................................... 65
Figure 93: Splunk HEC Connector > Show Extension Statistics URL ................................................................................................ 66
Figure 94: Splunk HEC Connector > View Stats ............................................................................................................................... 66
Figure 95: Splunk HEC Connector > Show Logs............................................................................................................................... 67
Figure 96: Splunk HTTP Event Collector > Copy Token ................................................................................................................... 67
Figure 97: Splunk HEC Connector > Define hecToken.................................................................................................................... 68
Figure 98: Splunk HEC Connector > Show Logs............................................................................................................................... 68
Figure 99: Splunk HEC Connector > Extension Statistics URL......................................................................................................... 69
Figure 100: Splunk HEC Connector > Extension Statistics Not Loading.......................................................................................... 69
Figure 101: Splunk HEC Connector > Reinstall Extension ............................................................................................................... 69
Figure 102: Splunk Caveats > Truncated Message .......................................................................................................................... 71
Figure 103: Splunk > Accessing Search ........................................................................................................................................... 72
Figure 104: Splunk > Search > Search Dashboard ........................................................................................................................... 72
ClearPass and ClearPass and Splunk Integration v
Introduction and Overview
This document describes how to integrate ClearPass Policy Manager with Splunk Enterprise and Splunk Cloud,
install the add-on Aruba ClearPass App for Splunk in order to extract maximum efficiency from both applications
and add new functionality to support the HTTP Event Collector in Splunk which ClearPass utilizes via a ClearPass
Extension. Specifically, this Integration Guide provides information on:
• How to configure ClearPass to send Syslog output to an instance of Splunk
• How to configure Splunk to receive data from one or more ClearPass servers
• How to install and configure the ClearPass App for Splunk
• How to install and configure the ClearPass HTTP Event Collector extension for Splunk
After completion of these steps, the ClearPass Splunk App will display charts and tables showing ClearPass events
captured from Syslog and HTTP event messages sent by ClearPass Policy Manager. The document also provides
screenshots of each item and dashboard element and explains what they represent.
Software Requirements
To support this integration, the minimum software version for ClearPass Policy Manager is 6.7.2. At the time of
writing, ClearPass Policy Manager 6.9.2 is the latest available and recommended release; and the release by which
the procedures and screenshots shown within this document are taken from. Version 3.1 of the ClearPass App for
Splunk was also used throughout this Integration Guide.
ClearPass runs on either hardware appliances with pre-installed software, or as a Virtual Machine under the
following hypervisors. Hypervisors that run on a client computer such as VMware Player are not supported.
• VMware ESXi 6.0 6.5, 6.6, 6.7 or higher
• Microsoft Hyper-V Server 2012, 2016 R2 or 2019
• Hyper-V on Microsoft Windows Server 2012, 2016 R2 or 2019
• Amazon EC2, deployed in a VPC
• Microsoft Azure, deployed in a VN
• KVM on Ubuntu 18.04 LTS or CentOS 7.5 or later
The minimum software version supported is Splunk Enterprise 8 and Splunk Cloud; however, this document is
based upon Splunk 8.0.5.
The sharing of licensing information from ClearPass to Splunk requires ClearPass Policy Manager 6.9.2 or greater (which
includes the License Summary API).
ClearPass Installation and Deployment Guide
This document assumes your ClearPass environment is already configured and operational. If you require
assistance with basic deployment, refer to the following deployment guide:
https://www.arubanetworks.com/techdocs/ClearPass/6.9/Aruba_DeployGd_HTML/Default.htm
Splunk Installation and Deployment Guide
This document also assumes your Splunk environment is already configured and operational; with or without
product integrations. If you require assistance with basic deployment, please contact Splunk directly for assistance.
ClearPass and ClearPass and Splunk Integration 1
Pre-Requisites for the Integration
ClearPass Extensions
The integration between ClearPass Policy Manager and Splunk is partially driven through a ClearPass capability
known as Extensions, a sub-component of the ClearPass Exchange Integration framework. ClearPass Extensions are
micro-services running on top of the base ClearPass platform. These micro-services enable Aruba to deliver new
features outside of the main software release cycle and facilitate a faster time to market for specific features and
integrations. To take advantage of the configuration and control of ClearPass Extensions, the ClearPass Guest GUI
is where ‘Extensions’ are managed, all covered later in this document.
Figure 1: Extension Framework GUI
ClearPass Extension Help
Details of ClearPass Extension Management can be found in the ClearPass User Guide at the link below; or by click-
ing on Help on the Extensions WebUI.
https://www.arubanetworks.com/techdocs/ClearPass/6.9/Guest/Content/AdministrationTasks1/Exten-
sions_top.htm
Figure 2: Accessing ClearPass Extension Help
ClearPass and ClearPass and Splunk Integration 2
Access to the Extension Store
Extensions are downloaded and installed to ClearPass through the Extensions Store. The Extension Store is
accessed utilizing the same HPE Passport account credentials used to validate support entitlement in the Software
Updates Portal. This is configured under Administration → Agents and Software Updates → Software Updates as
shown below. Ensure that a valid HPE Passport credential set has been entered in these fields to enable Extension
download capabilities.
Figure 3: Entering HPE Passport credentials
Extensions and web proxy support
Extensions support the use of 3rd party web proxies. If a proxy is defined in ClearPass Policy Manager, then an
extension will use that configuration.
The Policy Manger web proxy configuration is ONLY read by the extension at installation time. If the web proxy configuration is
changed in Policy Manager, the extension must be re-installed so the new settings are activated in the Extension
Extensions and IP address configuration support
ClearPass uses an RFC1918 non-routable IP address range to communicate with the Extension. The default is
172.17.0.0/16. You may configure a different range, if desired. This is especially useful when deploying extensions
across nodes within a cluster where there is the requirement for a fixed consistent IP address for the extension
across the cluster.
Changing the “Extensions Network Address” range is only necessary if either the ClearPass MGMT or DATA
interface are using an IP address in the extension default range of 172.17.x.x/16, or if ClearPass needs to
communicate with some external device in that range.
To Configure the base Extension IP subnet within Policy Manager, navigate to Administration → Server Manager
→ Server Configuration [SERVER] → Service Parameters → [ClearPass system service] dropdown.
The subnet defined here for the extension framework must fall within the following subnet range 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16 as defined by RFC1918.
ClearPass and ClearPass and Splunk Integration 3
Figure 4: Defining the base IP SUBNET for the Extensions Framework
Changing the extension base IP address will require the extension service to be restarted.
For best results, set the network address range to a subnet that does not exist in your enterprise, and restart the
extension service for this change to take effect.
Never set the DATA or MGMT IP address to use an address that matches the Extension Network
ClearPass and ClearPass and Splunk Integration 4
ClearPass, Splunk and the ClearPass for Splunk App
ClearPass Policy Manager is an Access security solution used extensively in small, midrange and large enterprises.
ClearPass provides the capability to send various kinds of Authentication, Authorization and Accounting events as
CEF, LEEF or RFC 5424 compliant Syslog messages to any Syslog receiver as endpoints authenticate to the network.
Splunk is a log management/SIEM (Security Information and Event Management) system solution that can receive
Syslog messages from multiple sources. These messages are stored within Splunk and then can be correlated,
searched, analyzed and displayed using its graphical user interface.
Splunk is also a platform that runs mini-applications (Apps) as add-ons to Splunk, which are customized for specific
external applications or products which send Syslog messages. The App provides visualization of the received data
without requiring the user to run complex custom searches within Splunk.
These apps typically consist of a number of dashboard elements like charts, tables and graphs that are accessible
via a menu structure contained within the app, which are based on pre-defined searches. The ClearPass Splunk
App is such an App and was developed by Aruba for visualizing a Syslog feed from ClearPass Policy Manager.
Types of Syslog
ClearPass can generate two different types of Syslog feeds:
• Syslogs based on logs generated by internal ClearPass modules.
o These can be configured by clicking on Administration → Server Manager → Log Configuration
in ClearPass.
o These are logs from ClearPass internal modules like the RADIUS Server or ClearPass Authentica-
tion Request services.
• Syslogs based on Access Tracker events, System events and Audit records.
o These can be configured by clicking on Administration → External Servers → Syslog Export Fil-
ters in ClearPass.
o These are the logs defined in Data Filters, which will be discussed later in this document.
Syslogs Based on ClearPass Internal Modules, RADIUS or Auth Services
While you can setup Splunk to receive Syslog messages based on ClearPass internal modules, we are going to
ignore them in this document as they are not particularly useful for admin users. Here are some examples of these
types of Syslog messages:
Figure 5: Example of Syslogs based on internal ClearPass modules
Mar 27 12:01:40 10.17.6.54 2014-03-27 12:00:15,315 [main] DEBUG RadiusServer.Radius - Module: Loaded SQL
Mar 27 12:01:40 10.17.6.54 2014-03-27 12:00:15,316 [main] DEBUG RadiusServer.Radius - sql: sql_driver = "Post-
greSQL"
Mar 27 12:01:40 10.17.6.54 2014-03-27 12:00:15,316 [main] DEBUG RadiusServer.Radius - sql: login = "appuser"
Mar 27 12:01:40 10.17.6.54 2014-03-27 12:00:15,316 [main] DEBUG RadiusServer.Radius - sql: password =
"(encstring)"
Mar 27 14:59:57 10.17.6.54 2014-03-27 14:58:32,502 [RequestHandler-1-0x7f3899d6d700 r=psauto-1395827722-82 h=57
r=W0000001e-01-5333ef40] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac rep-
resentations
Mar 27 14:59:57 10.17.6.54 2014-03-27 14:58:32,502 [RequestHandler-1-0x7f3899d6d700 r=psauto-1395827722-82 h=57
r=W0000001e-01-5333ef40] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown Nad-
Client for Id=0
Mar 27 14:59:57 10.17.6.54 2014-03-27 14:58:32,510 [R:W0000001e-01-5333ef40] ERROR
com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform chained policy-evaluation and enfProfiles
Mar 27 14:59:57 10.17.6.54 com.avenda.tips.webauthservice.WebAuthOpException: Applied Reject profile
ClearPass and ClearPass and Splunk Integration 5
Syslogs Based on Session Logs, Audit Records and Event Records
For the purposes of this document, we will only discuss integration of ClearPass Syslog data based on:
• Session Logs – these can be seen in the ClearPass Access Tracker
• Audit Records – these can be seen in the ClearPass Audit Viewer
• Event Records – these can be seen in the ClearPass Event Viewer
Shown below examples of these three log types. Note that the Syslog payload is sent as name/value pairs.
Figure 6: Example of Syslog: Session Logs
<143>2014-04-03 10:03:56,535 10.17.6.54 All Session Log Fields 0 1 0 Common.Alerts-Present=0,Common.Enforce-
ment-Profiles=EAI ClearPass Identity Provider (SAML IdP Service) Profile,Common.Error-Code=0, Common.Login-Sta-
tus=ACCEPT, Common.Request-Id=W00000037-01-533ce4a8,Common.Request-Timestamp=2014-04-03 10:03:44.785+05:30,Com-
mon.Roles=[User Au-thenticated],Common.Service=EAI ClearPass Identity Provider (SAML IdP Ser-vice),Com-
mon.Source=Application,Common.Username=prem4,WEBAUTH.Auth-Source=ClearPass Lab AD,
Figure 7: Example of Syslog: Audit Records
<143>2014-03-27 12:45:40,848 1.1.1.1 Audit Records Filtername 0 1 0 Timestamp=Mar 27, 2014 12:44:33
EDT,Source=Audit Records,Category=Syslog Export Da-ta,Action=DISABLE,User=admin\n
Figure 8: Example of Syslog: Event Records
<142>2014-03-27 12:43:11,303 1.1.1.1 System Events Filtername 10 1 0 Timestamp=Mar 27, 2014 12:42:25
EDT,Source=Admin UI,Level=INFO,Category=Logged out,Action=None,Description=User: admin\nRole: Super Administra-
tor\nSession ID: 9a99afae329433e45e6e1c50bc9b0e74\nClient IP Address: 2.2.2.2
This document will explain how to configure ClearPass to send each of these types of log messages to Splunk.
ClearPass and ClearPass and Splunk Integration 6
Pictorial View of the Integration
Splunk can receive information from providers in various formats. The most prominent method is done through
Syslog messages. Like other solutions, ClearPass can send Syslog messages to Splunk; but through the Splunk
HTTP Event Collector (HEC) and HEC Extension, ClearPass can also be configured to send messages to Splunk
through the HEC, this provides additional capability to supplement the syslog messages.
Figure 9: Sample Component Interaction
SYSLOG MESSAGES
HTTP EVENTS
SYSLOG MESSAGES
Proxy
SERVER IDS ROUTER
VPN Firewall SWITCHING
To integrate ClearPass with Splunk, four major tasks which are covered in the next four sections must be
performed:
• Install and configure Splunk HEC Connector Extension
• Configure ClearPass to send Syslogs to Splunk
• Configure Splunk to receive Syslog data feed from ClearPass
• Install and configure the ClearPass for Splunk App on a Splunk Server
ClearPass and ClearPass and Splunk Integration 7
Install Splunk HEC Connector Extension
Cluster Considerations
The Splunk HEC Connector offers the ability to send license and endpoint information to Splunk. Because all nodes
in the cluster share the same license configuration data and endpoint database, the installation of the extension
can be installed to any node in the cluster deemed appropriate.
Installation
To access the extension GUI, from the ClearPass Guest System, under Administration navigate to the Extension
User Interface as shown below.
Figure 10: Extensions Framework GUI
From here, click on ‘Install Extension’, and the search box appears. Enter “Splunk” and click on ‘Search’; see the
example below.
Figure 11: GUI Extension Search
ClearPass and ClearPass and Splunk Integration 8
Click on the extension name and then click “Install.”
In the “Install Extension” dialog box, set the IP address if necessary, as described earlier. Do not check the box to
start the extension at this time. Click the “Install” button.
Figure 12: GUI Extension Configuration at Install time
The extension will download and appear in a “Stopped” state. Take note of the options to Show Details, Start,
Delete, Reinstall, Show Logs, and Configuration. These will be used throughout the configuration and in any
troubleshooting measures of the Extension.
Figure 13: Splunk HEC Connector > Options
The Reinstall option will maintain the configuration and extension data on the system. Alternatively, Deleting and then
searching/installing the extension again will wipe the configuration data and function like a new install.
ClearPass and ClearPass and Splunk Integration 9
Configuration
A copy of the default Splunk HEC Connector Extension configuration is shown below. This can be found by clicking
on Configuration once installed.
Figure 14: GUI Reviewing and Setting the Extension configuration
.
Password and sensitive configuration items are obfuscated when presented in both the Extension GUI or in the Explorer
configuration; that includes the hecToken in this extension.
Some of these default settings will need to be modified for your deployment requirements. Use the table below
for guidance on the configuration values and options.
Extension Configuration
Configuration Attribute Description Default Value
logLevel The logging level – DEBUG, INFO, WARN, ERROR INFO
verifySSLCerts Should Splunk SSL Certificates be validated – true/false false
splunkHost The host or IP address of the Splunk server that HEC configured
splunkPort The port used by the Splunk HEC 8088
0e33db65-4239-4ac9-
hecToken The Splunk HEC access token
8fe1-7fb0935871fb
sendLicensing* Should licensing information be sent to Splunk – true/false true
The Cron schedule to be used to send licensing information. Infor-
* /15 * * * * (every 15
licenseSendSchedule mation is only updated in 15-minute intervals, so using the default
minutes)
schedule is recommended.
sendEndpoints Should endpoint information be sent to Splunk? – true/false True
0 */2 * * * (every 2
endpointSendSchedule The Cron schedule used to send endpoints to Splunk.
hours)
endpointSendLimit The number of endpoints to send in each batch. 50
If you wish to only send a subset of endpoints, you can filter them
using a standard endpoint filter. These filters are the same as used
endpointFilter {} (no filter)
by the endpoint API. An example is to use the Source endpoint at-
tribute in the following example: { “Source”: { “$eq”: “Sophos” } }
endpointSendOnStart Should endpoints be sent when the extension starts – true/false true
If a proxy is configured in ClearPass, should it be bypassed by the ex-
bypassProxy false
tension – true/false
enableStats Enable or disable extension statistics tracking – true/false false
ClearPass and ClearPass and Splunk Integration 10
When sendLicensing=true, if the licensing information is more than 15-minutes old when the extension starts or restarts, it will
attempt to send a “refresh” of the licensing information to Splunk. Sending of licensing requires ClearPass 6.8.6 or 6.9.2 or
greater (which includes the License Summary API).
Custom Endpoint Filter
The Splunk HEC Connector Extension provides a customized filter option to instruct which Endpoints are shared
with Splunk. The JSON filter can be used to call out a subset of the total endpoints within ClearPass’ Endpoint
Database based on any available attribute.
The filtering options are only limited by the available attributes that are stored within the Endpoint database. A
listing of the available filters on your instance of ClearPass can be found in the Dictionary Attributes. These can be
found in ClearPass WebUI; Administration → Dictionaries → Dictionary Attributes. Filtering on Entity equals
Endpoint will display available attributes within the Endpoint database within your cluster.
Figure 15: Dictionary Attributes > Endpoints
JSON Filter Options
The filtering capabilities are the same as used in the Endpoint API, allowing complete control over which endpoints
are shared with Splunk. The filter query options available for use can be found in the ClearPass API
documentation. This is available from your ClearPass servers and can be accessed by browsing to /api-docs URL
on your ClearPass Server: (https://cppm.domain.name/api-docs).
ClearPass and ClearPass and Splunk Integration 11
A listing of the JSON filter expressions can be found by navigating through the API Explorer: Identity/Endpoint →
Endpoint → GET → More about JSON filter expressions.
Figure 16: ClearPass Guest > API Explorer
JSON Filter Expressions
Description Syntax
No filter, matches everything {}
{"fieldName":"value"}
Field is equal to "value"
{"fieldName":{"$eq":"value"}}
{"fieldName":["value1", "value2"]}
Field is one of a list of values
{"fieldName":{"$in":["value1", "value2"]}}
Field is not one of a list of values {"fieldName":{"$nin":["value1", "value2"]}}
Field contains a substring "value" {"fieldName":{"$contains":"value"}}
Field is not equal to "value" {"fieldName":{"$ne":"value"}}
Field is greater than "value" {"fieldName":{"$gt":"value"}}
Field is greater than or equal to "value" {"fieldName":{"$gte":"value"}}
Field is less than "value" {"fieldName":{"$lt":"value"}}
Field is less than or equal to "value" {"fieldName":{"$lte":"value"}}
Field matches a regular expression (case-sensitive) {"fieldName":{"$regex":"regex"}}
Field matches a regular expression (case-insensitive) {"fieldName":{"$regex":"regex", "$options":"i"}}
Field exists (does not contain a null value) {"fieldName":{"$exists":true}}
Field is NULL {"fieldName":{"$exists":false}}
Combining filter expressions with AND {"$and":[ filter1, filter2, ... ]}
Combining filter expressions with OR {"$or":[ filter1, filter2, ... ]}
Inverting a filter expression {"$not":{ filter }}
{"fieldName":{"$gte":2, "$lt":5}}
Field is greater than or equal to 2 and less than 5 {"$and":[ {"fieldName":{"$gte":2}}, {"field-
Name":{"$lt":5}} ]}
ClearPass and ClearPass and Splunk Integration 12
Two sample filters are provided below for demonstration purposes. An empty filter is the default configuration;
which will instruct ClearPass to send all endpoints at the specified intervals.
The attributes used are for demonstration purposes, refer to the attributes dictionary in your cluster for available filters.
endpointFilter – Compliance Equals NotAvailable
The following filter will only send endpoints that have a Compliance value of NotAvailable. The query is based off
of the “Field is not equal to “value” filter.
Field is equal to "value" {"fieldName":{"$eq":"value"}}
"endpointFilter": {
"Compliance": {
"$eq": "NotAvailable"
}
}
In this example, this particular filter yields a total of 143 endpoints, all of which have NotAvailable as the value for
the Compliance attribute. The total endpoints sent can be seen in the Splunk HEC Connector logs as well as on the
Endpoint Information dashboard within the ClearPass App for Splunk.
Figure 17: Splunk HEC Connector > Endpoint Count Sent to Splunk
Figure 18: Splunk > Endpoint Information
ClearPass and ClearPass and Splunk Integration 13
endpointFilter – Source Exists
The following filter will only send endpoints that have a Source value applied to it within the Endpoint database.
The Source attribute is often populated by 3rd party products that may be integrated with ClearPass. The use of
this query may prove useful to identify and report details on and to share with Splunk for additional information.
The query is based off of the “Field is not equal to “value” filter.
Field is not equal to "value" {"fieldName":{"$ne":"value"}}
"endpointFilter": {
"Source": {
"$ne": ""
}
}
In this example, the filter yields a total of 27,868 endpoints, all of which have some value in the Source attribute.
The total endpoints sent can be seen in the Splunk HEC Connector logs as well as on the Endpoint Information
dashboard within the ClearPass App for Splunk.
Figure 19: Splunk HEC Connector > Endpoint Count Sent to Splunk
Figure 20: Splunk > Endpoint Information
ClearPass and ClearPass and Splunk Integration 14
Scheduling
The licenseSendSchedule and endpointSendSchedule parameters set how often ClearPass forwards licensing data
and endpoint updates to Splunk. This setting is based on a slightly modified version of the CRON job scheduler
found in Unix-like operating systems. It can be used to schedule jobs to run periodically at fixed times, dates or
intervals. By default, both updates are set to run as follows:
• licenseSendSchedule: */15 * * * * (every 15 minutes; starting at :00 second after the minute)
• endpointSendSchedule: 0 */2 * * * (every 2 hours; starting at 00am)
A ‘cron’ is a job scheduler. Any scheduled task is called a ‘cron job’. The syntax for a cron job schedule is as follows:
Figure 21: Cron Job Reference
In our use of the cron scheduler, we’ve dropped the use of the last instruction ≤command to execute> and use
only the time/date functions, see below for a number of examples of scheduling a sync process.
Sample Scheduling Syntax
Schedule a sync to run at 2am daily 02***
Schedule a sync to run twice a day at 5am and 5pm 0 5,17 * * *
Schedule a sync to run on every Sunday at 5pm 0 17 * * sun
Schedule a sync to run every 30 minutes */30 * * * *
Schedule a sync to run at 5pm on selected days 0 17 * * sun,fri
After the extension has been installed, proceed to configure Splunk and ClearPass.
You can see from the above that the scheduling process is extremely flexible, alternatively htttps://cron.help and
https://crontab.guru/ are great pages for learning more about CRON scheduling and visualizing your required
scheduling needs.
ClearPass and ClearPass and Splunk Integration 15
Configure ClearPass Policy Manager to Send Syslog Messages to Splunk
Note: The configuration steps described in this section were tested using ClearPass 6.9.2, however these steps
should work for any version of ClearPass; 6.7.2 or higher (for this integration).
Configuration consists of the following steps:
• Adding a Splunk Server as a Syslog Target.
• Importing the ClearPass Syslog Export Filters defined for the ClearPass Splunk App into ClearPass, after
modifying them first to use the Splunk Server hostname or IP address.
Adding Splunk as a Syslog Target
First, add an instance of Splunk to ClearPass as a Syslog target. Syslog Targets can be found under Administration
→ External Servers → Syslog Targets in the ClearPass administrative interface.
The Host Address can be defined a hostname (if resolvable through DNS) or an IP Address. The Protocol and
Server Port are customizable; but the default UDP/514 combination is used with Splunk Enterprise in this example.
When adding Splunk Cloud as a Syslog Target, you must specify TCP as the protocol.
Figure 22: Adding Syslog Target to ClearPass
Add Syslog Target
Configuration Attribute Description
Host Address: Syslog server hostname or IP address (IPv4 or IPv6)
Description: Short description of the Syslog server
Protocol Select the desired protocol
• UDP: reduces overhead and latency
• TCP: provides error checking and packet delivery validation
Server Port: The default port number is 514; change if necessary
ClearPass and ClearPass and Splunk Integration 16
Importing ClearPass Syslog Filters
Once you have defined the Syslog Target, it is necessary to create Syslog Filters in order to properly define and
format what messages will be sent to the defined target. Although it is possible to manually create your own
filters, Aruba has provided an XML file that can be imported. This file is available as part of the ClearPass Splunk
App bundle, or it can be obtained directly from the Aruba Solution Exchange:
https://ase.arubanetworks.com/solutions/id/70.
Figure 23: Download Syslog Target and Export Filter from Aruba Solution Exchange
Once you have downloaded the file (ClearPass Syslog Target and Export Filters.xml), it necessary to edit the file
using a text editor as described below.
The name and version of the ClearPass Syslog Target and Export Filters.xml file may vary; always download and install the latest
available at the time of configuration
Search the file for references of %splunk_ip%. It is located in two main sections.
• SyslogTarget - this portion of the XML file will create the Syslog Target during the import process. If the
Syslog Target is already defined (as shown above), then the <SyslogTargets> section can be omitted from
the XML import. If necessary, modify the protocol and port requirements to meet the Splunk deployment
Figure 24: Modify SyslogTarget information within XML import file
• SyslogServerNameList – seen multiple times within the XML file, this section outlines which Syslog Targets
this export filter will be sent to. This field should be entered as the hostname (if resolvable by DNS) or
the IP Address.
Figure 25: SyslogServerNameList information within XML import file
ClearPass and ClearPass and Splunk Integration 17
Once you have made your %splunk_ip% changes (and protocol/port modifications), the XML can be imported into
ClearPass. The Syslog Filters are imported under Administration → External Servers → Syslog Export Filters and
click Import. In the pop-up window presented, click the Choose File button and browse to the location where you
saved the ClearPass Syslog Target and Export Filters.xml file, suitably modified as mentioned in the earlier steps.
Figure 26: Import Syslog Export Filter XML file
Click the Import button and verify that the following Syslog filters have been imported correctly:
Figure 27: List of Syslog Export Filters after Import
ClearPass and ClearPass and Splunk Integration 18
Configure Splunk to Receive Messages from ClearPass
The Splunk configuration steps described in this section are based on upon Splunk Enterprise 8.0.5.
Splunk requires specific configurations to accept and process messages from ClearPass, two Data Inputs are
required:
• TCP/UDP – to accept Syslog Messages
• HTTP Event Collector – to accept Splunk HEC Connector extension messages
Create TCP/UDP Data Input
In order for Splunk to accept the syslog messages being sent from ClearPass, a new data input needs to be created.
The Data Inputs are located under the Settings menu on the main Splunk WebUI dashboard.
Figure 28: Accessing the Splunk Data Inputs Configuration Dialog
The Data Inputs screen will display all the Local Inputs defined within Splunk. At this time, we’ll be adding a new
UDP Data Input to match the Syslog Target configuration on ClearPass. Click Add new under the UDP Local Input.
Figure 29: Adding a new Splunk UDP Data Input
Add the appropriate input protocol (UDP/TCP) for your installation requirements
ClearPass and ClearPass and Splunk Integration 19
On the Select Source step, ensure UDP is selected and input the appropriate port configured on the ClearPass
Syslog Target. In this case; port 514. Click Next.
Figure 30: Splunk UDP Data Input: Select Source Configuration
On the Input Settings step, provide the following and click Review.
• Source Type: Aruba:CPPM:Syslog
• Source Type Category: Custom
• Source Type Description (optional): Aruba ClearPass Syslog
Figure 31: Splunk UDP Data Input: Input Settings Configuration
Ensure the settings you’ve established are correct. If so, click Submit; if not click Back and correct the values.
Figure 32: Splunk UDP Data Input: Review Settings
ClearPass and ClearPass and Splunk Integration 20
Once created, a success page is displayed.
Figure 33: Splunk UDP Data Input: Successful Creation
Upon completion, confirm that the new Data Input is Enabled by clicking Data Input; or proceed to download the
ClearPass for Splunk app by clicking on Download Apps.
Data Input confirmation: Click UDP on the Data Inputs page and confirm that the new input is Enabled; if not, click
the Enable link:
Figure 34: Splunk UDP Data Input: Check Enabled Status
HTTP Event Collector
In order for Splunk to accept the HTTP event messages being sent from ClearPass, a new data input needs to be
created. Although it is possible to manually create an HTTP Event Collector Data Input, it is recommended to allow
the ClearPass App for Splunk will automatically create it during its installation.
Tip: Allow the ClearPass App for Splunk to automatically create the HTTP Event Collector during its installation
You can verify its configuration (including Token Value) and Status state after the installation of the App is
completed. The Data Inputs are located under the Settings menu on the main Splunk WebUI dashboard.
ClearPass and ClearPass and Splunk Integration 21
Figure 35: Accessing the Splunk Data Inputs Configuration Dialog
The Data Inputs screen will display all the Local Inputs defined within Splunk. After the completion of the
ClearPass for Splunk App, the configuration and state of the HTTP Event Collector can be verified.
Figure 36: Adding a new Splunk HTTP Event Collector Data Input
Figure 37: Splunk HEC > Verify Token Value and Status
ClearPass and ClearPass and Splunk Integration 22
Install Aruba ClearPass App for Splunk
The installation of the ClearPass App can be completed immediately after creating the Data Input for ClearPass.
This can be found by clicking the Download Apps button on the successful creation page above, or by clicking the
Find More Apps on the main Splunk dashboard page.
Figure 38: Accessing the Splunk App Store
Type ClearPass in the search field and search the App Splunk database. Ensure you install the Aruba ClearPass App
for Splunk and not any other apps that may include Aruba or ClearPass in their names (see below).
Figure 39: Searching and selecting the Aruba ClearPass App for Splunk
Login with your Splunk username and password in order to complete the download of the App.
Figure 40: Install Aruba ClearPass App for Splunk > Credentials
ClearPass and ClearPass and Splunk Integration 23
After clicking Logon and Install, the app is downloaded and installed; and a request to restart Splunk.
Figure 41: Install Aruba ClearPass App for Splunk > Installation Progress
Configure Error Code to Error String Lookups
As a part of the ClearPass for Splunk application, we have included an error file lookup table. This allows Splunk to
translate basic error codes (numerical values) to meaningful text. For example, to display an error code of “6204”
would not be very informative to most administrators; but when translated to the string “No enforcement profiles
matched to perform command authorization” it becomes more meaningful.
To configure the lookups, navigate to Settings → Knowledge → Lookups from the main dashboard.
Figure 42: Accessing Splunk Lookups Configuration
ClearPass and ClearPass and Splunk Integration 24
On the Lookups page, select Automatic lookups:
Figure 43: Splunk Lookups > Automatic Lookups
Select Splunk for ClearPass (ClearPassOnSplunk) from the App selection dropdown and then click New Automatic
Lookup.
Figure 44: Splunk Lookups > Automatic Lookups > New Automatic Lookup
Fill out the Add new Lookup as follows and click Save:
• Name (arbitrary): ClearPass Error Code Lookups
• Lookup table: error_code_lookup
• Apply to: sourcetype | named: Aruba:CPPM:Syslog
• Lookup input fields: error_code = error_code
• Lookup output fields: error_code_str = error_code_str
Figure 45: Splunk Lookups > Automatic Lookups > New Automatic Lookup Configuration
ClearPass and ClearPass and Splunk Integration 25
When complete, ensure the lookup is now enabled:
Figure 46: Splunk Lookups > Automatic Lookups > Verify Status
Confirm the error_codes are translated per the lookup. The following is now shown on the Last 10 Auth Failure
dashboard table:
Figure 47: Splunk Lookups > Verify Code Translations
ClearPass and ClearPass and Splunk Integration 26
ClearPass Splunk App – Dashboard Elements
This section describes the ClearPass Splunk App menu items and dashboard elements.
Overview
Figure 48: Overview Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
The Overview dashboard consists of the following dashboard elements:
Overview - First Row
Failed Attempts: Number of failed authentications
Endpoints Authenticated: Number of unique endpoints authenticated
Number of Network Access Servers configured to use ClearPass servers (integrated
NAS Devices:
with Splunk and sending syslogs) as AAA servers
ClearPass Servers: Number of ClearPass servers integrated with Splunk to send Syslogs
ClearPass and ClearPass and Splunk Integration 27
Overview - Second Row
Incoming Line chart of all authentication requests broken out by outcome
Requests: (i.e. blue = Accepts, red = Rejects, green = timeouts), received by ClearPass server(s) currently selected
Auth rate Gauge showing authentication rate averaged over prior minute per Server for all authentication
per Min: requests received by all ClearPass server(s) currently selected
Overview - Third Row
Last 10 Auth Requests Service details on ten most recent authentication requests
Last 10 Auth Failures Error details on ten most recent authentication failures
Last 10 Auth Alerts Alert details on ten most recent authentication alerts
Authentications
Authentication Overview
Figure 49: Accessing the Authentication Overview Dashboard:
ClearPass and ClearPass and Splunk Integration 28
Figure 50: Authentications > Authentication Overview Dashboard:
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
The Authentication Overview dashboard consists of the following dashboard elements:
Authentication Overview - First Row
Total Auths: Number of total authentications, successful and unsuccessful
Total Successful Auths: Number of total successful authentications
Total Users: Number of unique users (duplicates removed across all ClearPass servers selected)
Total Endpoints: Number of unique endpoints (duplicates removed across all ClearPass servers selected)
Total Services: Number of unique services matched for successful auths
Number of NAS devices configured to use ClearPass Servers (integrated with Splunk and
NAS Used:
sending Syslogs) as AAA servers
Authentication Overview - Second Row
Incoming Auth Requests: Line chart of incoming authentication requests over time
Auth Failures: Chart of incoming authentication failures over time
Pie chart breakdown of matched services for successful
Service Categorization:
authentications
ClearPass and ClearPass and Splunk Integration 29
Authentication Overview - Third Row
Top 10 User Auths: Table displaying top ten most frequent user auths
Table displaying top ten most frequent services hit for
Top 10 Services Used:
authentication
Top 10 Alerts Raised: Table displaying top ten most frequent alerts raised
Top 10 Incoming Client MAC: Table displaying top ten most frequent unique client MAC addresses authenticated
Top 10 IP Used: Details of top ten most frequent IP addresses seen for authentications
Authentication Trends
Figure 51: Accessing the Authentication Trends Dashboard:
Figure 52: Authentications > Authentication Trends Dashboard
All the information displayed on this dashboard is based on the time period selected (Week to Date shown) as well as the
ClearPass server(s) and NAS device(s) selected. Additionally, you can filter the data by Authentication Status and Syslog field
(e.g. req_source, user_name, error_code, mac_address, service_name, session_id).
ClearPass and ClearPass and Splunk Integration 30
The Authentication Trends dashboard consists of the following dashboard elements:
Authentication Trends - First Row
Logins Today: Number of successful authentications for current day
Logins Yesterday: Number of successful authentications for previous day
Logins 7-Days Ago: Number of successful authentications seven days prior
Logins Last Week Avg: Average number of successful authentications seven days prior
Logins Last Month Avg: Average number of successful authentications thirty days prior
Authentication Trends - Second Row
Login Compare - Today vs. Yester- Comparison of total logins per hour for current day versus previous
day day
Login Compare - Today vs. 7 Days Comparison of total logins per hour for current day versus seven
Ago days prior
Authentication Trends - Third Row
Comparison of total logins per hour for current day versus logins
Login Trend: Last Week
per hour averaged over last week
Authentication Trends - Fourth Row
Comparison of total logins per hour for current day versus logins
Login Trend: Last Week
per hour averaged over last week
ClearPass and ClearPass and Splunk Integration 31
Failure by Error Types
Figure 53: Accessing the Failure by Error Types Dashboard:
Figure 54: Authentication > Failure by Error Types Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
ClearPass and ClearPass and Splunk Integration 32
The Failure by Error Types dashboard consists of the following dashboard elements:
Failure by Error Types - First Row
Request Timed Out: Number of authentication failures due to timeout
Number of authentication failures denied due to non-compliance to
Denied by Policy:
policy
User Authentication Failed: Number of authentication failures due to incorrect password
Number of authentication failures due to an internal error in the
Internal RADIUS Error:
ClearPass RADIUS server
Number of authentication failures due to username not found in
User Not Found
any of the configured authentication sources
Wrong Shared Secret: Number of authentication failures due to incorrect shared secret
Failure by Error Types - Second Row
Timeout by Controller Breakdown of authentication timeout by controller (pie)
Breakdown of authentication failures denied by policy by ClearPass
Denied by Policy by Server
server (pie)
User Authentication Failed by Server Breakdown of authentication failures due to incorrect password (pie)
Breakdown of authentication failures due to internal error in ClearPass
Internal RADIUS Error by Server
RADIUS server (pie)
Breakdown of authentication failures due to user not found by
User Not Found by Server
ClearPass server (pie)
Breakdown of authentication failures due to incorrect shared secret by
Wrong Shared Secret by Controller
controller (pie)
ClearPass and ClearPass and Splunk Integration 33
Failure by Error Types - Third Row
Timeout by Controller Bar chart version of corresponding data (see above)
Denied by Policy by Server Bar chart version of corresponding data (see above)
User Authentication Failed by Server Bar chart version of corresponding data (see above)
Internal RADIUS Error by Server Bar chart version of corresponding data (see above)
User Not Found by Server Bar chart version of corresponding data (see above)
Wrong Shared Secret by Controller Bar chart version of corresponding data (see above)
Failure by Error Types - Fourth Row
Timeout by User Breakdown of authentication timeout by user (bar)
Breakdown of authentication failures denied by policy by ClearPass user
Denied by Policy by User
(bar)
User Authentication Failed by User Breakdown of authentication failures due to incorrect password (bar)
Breakdown of authentication failures due to internal error in ClearPass
Internal RADIUS Error by User
RADIUS server by user (bar)
Breakdown of authentication failures due to user not found by
User Not Found by User
ClearPass server user (bar)
Breakdown of authentication failures due to incorrect shared secret by
Wrong Shared Secret by Controller
controller user (bar)
ClearPass and ClearPass and Splunk Integration 34
Failure by Error Types - Fifth Row
Failed Requests by Error Type Top ten most frequent failed requests by error type (bar)
Failed Requests by Error type Top ten most frequent failed requests by error type (pie)
Failure by Error Types - Sixth Row
Successful vs Failed Requests Number of successful and failed requests per hour (line)
Successful vs Failed Requests Proportion of accepted, rejected, and timed out request (pie)
Failure Distribution
Figure 55: Accessing the Failure Distribution Dashboard:
ClearPass and ClearPass and Splunk Integration 35
Figure 56: Authentication > Failure Distribution Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server) and Failure Type.
Failure Distribution - First Row
Total Failed Attempts Number of total failed authentication attempts
Users Failed Number of total unique user who had failed authentications
Endpoints Failed Number of total unique endpoints with failed authentications
Failure Distribution - Second Row
Authentication Failure by Network Device Breakdown of failed authentications by controller / NAS device
Top 10 Failed Attempts by Users Breakdown of failed authentications by user
Top 10 Failed Attempts by Endpoints Breakdown of failed authentications by endpoint
ClearPass and ClearPass and Splunk Integration 36
Failure Distribution - Third Row
Authentication Failure by NAS Device Table displaying failed authentications by NAS device
Top 10 Failed Attempts by Users Table displaying Top 10 failed authentications by user
Top 10 Failed Attempts by Endpoints Table displaying Top 10 failed authentications by endpoint
Policy Enforcement
Figure 57: Accessing the Policy Enforcement Dashboard:
ClearPass and ClearPass and Splunk Integration 37
Figure 58: Authentication > Policy Enforcement Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
Policy Enforcement - First Row
Total Policy Enforcements Number of total policy enforcements applied
Total Enforcement Profiles Number of total enforcement profiles applied
Total Roles Number of total roles assigned
Unhealthy Sessions Number of total sessions in which posture is UNKNOWN or QUARANTINE
Policy Enforcement - Second Row
Top 10 Roles Assigned Top ten most frequent roles assigned (TIPS Role)
Top 10 Enforcement Profiles Top ten most frequent enforcement profiles applied
Health Status Breakdown of posture / health by type: HEALTHY, UNKNOWN and QUARANTINE
ClearPass and ClearPass and Splunk Integration 38
Policy Enforcement - Third Row
Line chart of number enforcements (time value will vary depending on
Policy Enforcements
period of time reporting on; 10 min increment in daily chart is shown)
Endpoints
The dashboards in this section are the result of data received from ClearPass through the HEC extension. The
endpoints shown are a result of the endpointFilter defined in the extension configuration.
Endpoint Categories
Figure 59: Accessing the Endpoint Categories Dashboard:
ClearPass and ClearPass and Splunk Integration 39
Figure 60: Endpoints > Endpoint Categories Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server), Category, Family, and User Agent.
The Endpoint Categories dashboard can be customized to display the desired endpoint information by filtering by
ClearPass Server, Category, Family, or User Agent as shown below.
Figure 61: Endpoints > Endpoint Categories Dashboard (filter options)
ClearPass and ClearPass and Splunk Integration 40
Endpoint Categories – First Row
Breakdown of device categories (e.g. SmartDevice, VoIP Phone,
All Device Categories
Computer, Access Points) [based on ClearPass dictionary]
For selected category, breakdown of device family (e.g. Aastra,
Device Family by selected Category
Android, Apple, Windows, etc.) [based on ClearPass dictionary]
For selected category, breakdown of vendor [based on MAC OUI
Device Vendor by MACs in selected Category
only]
Endpoint Categories – Second Row
Endpoints Matching the selected Table displaying endpoint details including hostname, device
Category/Family/UserAgent Filters name, device family, device category, IP address and MAC vendor
Endpoint Profiles
Figure 62: Accessing the Endpoint Profiles Dashboard:
ClearPass and ClearPass and Splunk Integration 41
Figure 63: Endpoints > Endpoint Profiles Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server), Hostname, and Search String lookup.
Endpoint Profiles – First Row
Table displaying endpoint details including hostname, device name, device family,
Endpoint Profiles
device category, IP address type and DHCP fingerprint
Endpoint Profiles – Second Row
Endpoint Locations Breakdown of geographic location of endpoints based on IP address
ClearPass and ClearPass and Splunk Integration 42
Endpoint Information
The Endpoint Information dashboard contains relevant information that has been shared to Splunk through the
Splunk HEC Connector Extension. This data can be filtered using the endpointFilter option within the extension
configuration.
Figure 64: Accessing the Endpoint Information Dashboard:
Figure 65: Endpoints > Endpoint Information Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard.
Endpoint Information – First Row
Endpoints Total number of Endpoint records
Endpoint Records by Status Total number of Endpoint records by Status (Known/Unknown)
Endpoint Device Sources Total number of Endpoint records by Source
ClearPass and ClearPass and Splunk Integration 43
Endpoint Information – Second Row
Endpoint Records by Day Total number of Endpoint record seen per day
Endpoint Record Sources by Day Total number of Endpoint record sources seen per day
Sessions
BandWidth Usage
Figure 66: Accessing the Bandwidth Usage Dashboard:
Figure 67: Sessions > Bandwidth Usage Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
RADIUS Accounting is required from the NAS in order to capture bandwidth details.
ClearPass and ClearPass and Splunk Integration 44
BandWidth Usage – First Row
Rate of data throughput (input octets and output octets) in kilobytes per
KBPS
second for the selected time period
Volume of input octets received from the endpoint during all completed
Input in MB
RADIUS sessions in MBs
Volume of output octets received from the endpoint during all completed
Output in MB
RADIUS sessions in MBs
BandWidth Usage – Second Row
Top Bandwidth Users MB Top ten endpoints with highest total volume of data throughput in MBs
BandWidth Usage – Third Row
Bandwidth Usage by Users MB Chart of data volume throughput over time for top ten endpoints
Session Details
Figure 68: Accessing the Session Details Dashboard:
ClearPass and ClearPass and Splunk Integration 45
Figure 69: Sessions > Session Details Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server) and Username.
Session Details – First Row
Sessions Total number of RADIUS sessions started
Accounting Started Total number of RADIUS sessions with RADIUS Accounting enabled started
Accounting Stopped Total number of RADIUS sessions with RADIUS Accounting enabled stopped
Volume of input octets received from the endpoint during all completed RADIUS
Input Volume MB
sessions in MBs
Volume of input octets sent to the endpoint during all completed RADIUS sessions in
Output Volume MB
MBs
ClearPass and ClearPass and Splunk Integration 46
Session Details – Second Row
Table displaying session location details (if known): City, Region, Country with session
Session Locations
ID, session time, username, host ID and errors (if any)
Session Details – Third Row
Table displaying session policy details: service name, authentication method,
Session Policy Details authentication source with session ID, session time, username, host ID and errors (if
any)
Session Details – Fourth Row
Table displaying session details: start time, stop time, NAS port type with session ID,
Session Start/Stop
session time, username and host IP address
Session Details – Fifth Row
Table displaying session usage details: input octets, output octets, with session ID,
Session Usage
session time, username and host IP address
ClearPass and ClearPass and Splunk Integration 47
Session Details – Fifth Row
Table displaying session usage details: input octets, output octets, with session ID,
Session Usage
session time, username and host IP address
Comparison
Compare NAS Devices
Figure 70: Accessing the Compare NAS Devices Dashboard:
Figure 71: Comparison > Compare NAS Devices Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as a specific NAS.
ClearPass and ClearPass and Splunk Integration 48
Compare NAS Devices – First Row
Logins by NAS Device Breakdown of successful authentications by NAS device
Failures by NAS Device Breakdown of failed authentications by NAS device
Protocol by NAS Device Bar chart of authentication protocols used per NAS device
Services by NAS Device Table displaying NAS device, service hit and count
Compare NAS Devices – Second Row
Auth Source by NAS Device Table displaying NAS device, authentication source and count
Table displaying NAS device, authentication method (PAP, MSCHAP,
Auth Method by NAS Device
MAC_AUTH, EAP-TLS, EAP/PEAP, etc.) and count
Breakdown of type of port (Ethernet, FastEthernet, GigabitEthernet, Wireless,
NAS Port Type by NAS Device
etc.) by NAS device
Breakdown of RADIUS service type (e.g. Login, Framed, Outbound,
Service Type by NAS Device
Administrative, NAS Prompt, Call Check, etc.) by NAS device.
Compare NAS Devices – Third Row
ClearPass Servers by NAS Devices Breakdown of ClearPass servers by NAS device
Unique MACs by NAS Device Breakdown of unique endpoint MAC addresses by NAS device
Unique Users by NAS Device Breakdown of unique users by NAS device
ClearPass and ClearPass and Splunk Integration 49
Compare Servers
Figure 72: Compare Servers Dashboard:
Figure 73: Comparison > Compare Servers Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
Compare Servers – First Row
Logins by Server Breakdown of successful authentications by ClearPass server
Failures by Server Breakdown of failed authentications by ClearPass server
Protocol by Server Bar chart of authentication protocols used per ClearPass server
Services by Server Table displaying ClearPass server; service hit and count
ClearPass and ClearPass and Splunk Integration 50
Compare Servers – Second Row
Table displaying ClearPass server, health posture
Health Status by Server
(HEALTHY/QUARANTINE/UNKNOWN) and count
NAS Devices by Server Breakdown of NAS devices per ClearPass server
Unique MACs by Server Breakdown of unique endpoints per ClearPass server
Unique Users by Server Breakdown of unique users per ClearPass server
System
Audit Records
Figure 74: Accessing the Audit Records Dashboard:
Figure 75: System > Audit Records Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
ClearPass and ClearPass and Splunk Integration 51
Audit Records – First Row
Details of changes made to attributes of ClearPass-managed entities such as endpoints,
Audit Records guest users, applications, profile definitions, etc.: timestamp, source ID (i.e. ID of entity on
which changes are being made), type of change, entity category, user who made the change
ClearPass Licensing
Figure 76: Accessing the ClearPass Licensing Dashboard:
Figure 77: System > ClearPass Licensing Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
ClearPass Licensing – First Row
Summary Total number of Used Licenses and Available Licenses
ClearPass and ClearPass and Splunk Integration 52
ClearPass Licensing – Second Row
License Count by Server Count of Access, OnBoard, and Compliance Suite (OnGuard) licenses by server
ClearPass Licensing – Third Row
License Usage Over Time Line graph of license usage of each type (Access, OnGuard, and OnBoard) over time
ClearPass Licensing – Fourth Row
License Overage Over Time
ClearPass and ClearPass and Splunk Integration 53
System Events
Figure 78: Accessing the System Events Dashboard:
Figure 79: System > System Events Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard as well as the ClearPass server
selection (i.e. “All” or a specific ClearPass server).
System Events – First Row
Failed Events Details of failed events: category, description, count
Latest Events Details of most recent events: level, category, description, count
ClearPass and ClearPass and Splunk Integration 54
System Events – Second Row
ClearPass Logins Details of logins to ClearPass servers: timestamp, host, description, action key
AV Updates Details of hotfix updates to ClearPass servers: host, description, action key
System Events – Third Row
User Agent Updates Details of user agent updates to ClearPass servers: host, description, action key
Hotfixes Updates Details of hotfix updates to ClearPass servers: host, description, action key
System Monitor
Figure 80: Accessing the System Monitor Dashboard:
Figure 81: System > System Monitor Dashboard
All data points shown pertain to the selected time period in the upper left area of the dashboard.
ClearPass and ClearPass and Splunk Integration 55
System Monitor – First Row
Table displaying details of server uptime: hostname, uptime, data interface status,
Server Status
management interface status
Table displaying details of server CPU usage: hostname, CPU usage graph,
CPU Usage by Servers
percentage CPU used
Table displaying details of server CPU idle time: hostname, CPU idle time graph,
CPU Available on Servers
percentage CPU idle
System Monitor – Second Row
Table displaying details of server memory usage by processes for each ClearPass
Memory Usage by Processes
host: memory usage graph displays MBs of memory used
Table displaying details of memory available for each ClearPass host: memory
Memory Available on Servers
usage graph displays MBs of memory available
Table displaying details of swap space used by each ClearPass host: swap usage
Swap Size Usage by Servers
graph displays KBs of swap space used
Table displaying details of swap space available for each ClearPass host: swap
Swap Size Available on Servers
usage graph displays KBs available
ClearPass and ClearPass and Splunk Integration 56
Search
Generic Query Dropdown
Figure 82: Accessing the Generic Query Dropdown Dashboard:
Figure 83: Search > Generic Query Dropdown Dashboard:
Note: All the information displayed on this dashboard is based on the time period selected as well as the ClearPass server(s)
selected. Additionally, you can filter the display using the following search dropdown lists: Username, Hostname, MAC Address,
IP Address, NAS Port Type and any other search string. Display using the following: search Address, NAS Port Type and any
other search string. Before any data can be displayed, you must first select your ClearPass server(s) and click the Submit button
ClearPass and ClearPass and Splunk Integration 57
The Generic Query dropdown dashboard consists of the following dashboard elements:
Generic Query Dropdown – First Row
Table displaying the following details: authentication session ID, time stamp, user
Dashboard name, service name, NAS IP address, NAS port, MAC Address, login status, request
source, connection status, error code.
Generic Query Dropdown – Second Row
Table displaying the following details: authentication session ID,time stamp, user
name, end host ID, service name, NAS IP address, authentication method, NAS port,
RADIUS Session
MAC Address, login status, request source, count of alerts present, connection status,
error code.
Generic Query Dropdown – Third Row
Table displaying the following: RADIUS authentication session ID, sequence number,
RADIUS accounting session ID, time stamp, user name, hostname, endpoint, IP
address, NAS IP address, NAS port type, called station MAC address, calling station
RADIUS Accounting
MAC address, accounting status type, accounting session time, accounting delay
time, accounting input octets, accounting input packets, accounting output octets,
accounting output packets
Generic Query Dropdown – Fourth Row
Table displaying the following: RADIUS authentication session ID, RADIUS accounting
RADIUS Accounting Detail session ID, type of authentication session, database row ID, RADIUS attribute name,
RADIUS attribute value
ClearPass and ClearPass and Splunk Integration 58
Generic Query Dropdown – Fifth Row
Table displaying the following: time stamp, endpoint hostname, endpoint MAC
Address, endpoint IP address, MAC vendor (based on OUI), Boolean value to indicate
Endpoint Profiles
whether the IP address is static, time when endpoint was added, time when endpoint
was updated, DHCP fingerprint, endpoint name, endpoint family, endpoint category
Generic Query Dropdown – Sixth Row
Table displaying the following: raw Syslog message, time stamp, ClearPass server IP
address, Syslog sender IP address, index, Number of lines in Syslog message, Syslog
Generic Query Output
source port, Splunk sourcetype, Splunk server hostname / IP address to which Syslog
was sent
Generic Query Textbox
The Generic Query Textbox dashboard displays the same information as the Generic Query Dropdown dashboard;
but allows more flexible filter capabilities. Instead of choosing a selection from a dropdown; search criteria can be
input into the textbox and submitted for visualization.
Figure 84: Accessing the Generic Query Textbox Dashboard:
Figure 85: Search > Generic Query Textbox Dashboard
This next dashboard displays data that is identical to the previous dashboard (Generic Query Dropdown), except
the selection fields are textbox query fields.
ClearPass and ClearPass and Splunk Integration 59
Generic Query Textbox – First Row
Table displaying the following details: authentication session ID, time stamp, user
Dashboard name, service name, NAS IP address, NAS port, MAC Address, login status, request
source, connection status, error code.
Generic Query Textbox – Second Row
Table displaying the following details: authentication session ID,time stamp, user
name, end host ID, service name, NAS IP address, authentication method, NAS port,
RADIUS Session
MAC Address, login status, request source, count of alerts present, connection status,
error code.
Generic Query Textbox – Third Row
Table displaying the following: RADIUS authentication session ID, sequence number,
RADIUS accounting session ID, time stamp, user name, hostname, endpoint, IP
address, NAS IP address, NAS port type, called station MAC address, calling station
RADIUS Accounting
MAC address, accounting status type, accounting session time, accounting delay
time, accounting input octets, accounting input packets, accounting output octets,
accounting output packets
Generic Query Textbox – Fourth Row
Table displaying the following: RADIUS authentication session ID, RADIUS accounting
RADIUS Accounting Detail session ID, type of authentication session, database row ID, RADIUS attribute name,
RADIUS attribute value
ClearPass and ClearPass and Splunk Integration 60
Generic Query Textbox – Fifth Row
Table displaying the following: time stamp, endpoint hostname, endpoint MAC
Address, endpoint IP address, MAC vendor (based on OUI), Boolean value to indicate
Endpoint Profiles
whether the IP address is static, time when endpoint was added, time when endpoint
was updated, DHCP fingerprint, endpoint name, endpoint family, endpoint category
Generic Query Textbox – Sixth Row
Table displaying the following: raw Syslog message, time stamp, ClearPass server IP
address, Syslog sender IP address, index, Number of lines in Syslog message, Syslog
Generic Query Output
source port, Splunk sourcetype, Splunk server hostname / IP address to which Syslog
was sent
Search
Figure 86: Accessing the Search Dashboard:
Figure 87: Search > Search Dashboard
ClearPass and ClearPass and Splunk Integration 61
Search – First Row
How to Search Documentation and tutorial provided for searching features
Details of searchable events; including total number indexed, earliest event, and
What to Search
latest event
Search – Second Row
Search History A listing of previously completed searches
ClearPass and ClearPass and Splunk Integration 62
Appendix A – Additional diagnostics / support
Checking on the Extension Service
The ClearPass Extensions are supported by a system service which must be running.
Note: Restarting this service will affect all deployed and running extensions.
To check on the state of the Extension Service, or to restart the service, go to Administration → Server Manager
→ Server Configuration → [SERVER] → Services Control. By default, this service is automatically started.
Figure 88: Services Control
ClearPass and ClearPass and Splunk Integration 63
Extension Logs/Debugging
If there is a need to access and view the logs from the Extension, adjust the logLevel value to suit your
requirements (INFO, WARN, ERROR, DEBUG). Once adjusted, restart the extension as shown below.
The ClearPass Extensions are supported by a system service which must be running.
Note: Be sure to reset the logLevel to INFO when troubleshooting is complete
Figure 89: Splunk HEC Connector > Changing the DEBUG level
Logs can then be viewed by clicking Show Logs.
Figure 90: Splunk HEC Connector > Viewing DEBUG Logs
ClearPass and ClearPass and Splunk Integration 64
Monitoring extension statistics
There is a method to monitor an extension’s critical statistics with the following configurable parameter added as
part of the extension’s configuration. To enable extension statistics set the “enableStats” parameter to true and
restart the extension.
Figure 91: Splunk HEC Connector > Enable Extension Statistics
To navigate to statistics page, click Show Details.
*NOTE: The extension must be started to view the statistics.
Figure 92: Splunk HEC Connector > Show Extension Details
ClearPass and ClearPass and Splunk Integration 65
Open extension statistics URL:
Figure 93: Splunk HEC Connector > Show Extension Statistics URL
This will show statistics similar to the following:
Figure 94: Splunk HEC Connector > View Stats
ClearPass and ClearPass and Splunk Integration 66
Appendix B: Splunk HEC Connector Extension Troubleshooting
Splunk specific HTTP Event Collector Information:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/UsetheHTTPEventCollector
Invalid Authorization, code: 3
If the HEC Connector is failing and the following error is displayed, it indicates invalid authentication/authorization
between the connector and Splunk. To resolve this manually input the Splunk Token Value for the ClearPass HTTP
Event Collector into the HEC Connector configuration and restart the extension.
Figure 95: Splunk HEC Connector > Show Logs
Copy the Token Value from the Event Collector:
Figure 96: Splunk HTTP Event Collector > Copy Token
ClearPass and ClearPass and Splunk Integration 67
Paste it into the hecToken field on the HEC Connector configuration and restart the extension:
Figure 97: Splunk HEC Connector > Define hecToken
Socket Hang Up
The following error has been seen. The root cause was unknown on the Splunk or ClearPass side at the time of this
publishing; however, deletion and reinstallation of the extension was able to resolve the message.
Figure 98: Splunk HEC Connector > Show Logs
ClearPass and ClearPass and Splunk Integration 68
Extension Statistics Not Displaying
If when attempting to view the Extension Statistics you are redirected to the ClearPass welcome page shown
below, Reinstall the extension. Reinstalling will maintain the configuration and data.
Figure 99: Splunk HEC Connector > Extension Statistics URL
Figure 100: Splunk HEC Connector > Extension Statistics Not Loading
Figure 101: Splunk HEC Connector > Reinstall Extension
ClearPass and ClearPass and Splunk Integration 69
Appendix C – Syslog Raw Data
Failed Authentication Raw Data
<143>2014-03-28 16:46:27,384 10.17.6.54 TEST filter 0 1 0 Common.Alerts=WebAuthService: User 'bbb' not present
in [Local User Repository](localhost)\nUser 'bbb' not present in ClearPass Lab AD(adisam.arubapoc.local),Com-
mon.Alerts-Present=0,Common.Audit-Posture-Token=UNKNOWN,Common.Auth-Type=,Common.Enforcement-Profiles=[Deny Ap-
plication Access Profile],Common.Error-Code=201,Common.Host-MAC-Address=,Common.Login-Status=REJECT,Common.Mon-
itor-Mode=Enabled,Common.Request-Id=W0000002e-01-533557ec,Common.Request-Timestamp=2014-03-28
16:37:24.417+05:30,Common.Roles=,Common.Service=EAI ClearPass Identity Provider (SAML IdP Service),Com-
mon.Source=Application,Common.System-Posture-Token=UNKNOWN,Common.Username=bbb,WEBAUTH.Auth-
Source=,WEBAUTH.Host-IP-Address=127.0.0.1,
Successful Authentication Raw Data
<143>2014-03-28 20:00:27,731 10.17.6.54 All Session Log Fields 4 1 0 Common.Alerts-Present=0,Common.Audit-Pos-
ture-Token=UNKNOWN,Common.Auth-Type=,Common.Enforcement-Profiles=EAI ClearPass Identity Provider (SAML IdP Ser-
vice) Profile,Common.Error-Code=0,Common.Host-MAC-Address=,Common.Login-Status=ACCEPT,Common.Monitor-Mode=Disa-
bled,Common.Request-Id=W00000032-01-5335874b,Common.Request-Timestamp=2014-03-28 19:59:31.533+05:30,Com-
mon.Roles=[Employee], [User Authenticated],Common.Service=EAI ClearPass Identity Provider (SAML IdP Ser-
vice),Common.Source=Application,Common.System-Posture-Token=UNKNOWN,Common.Username=prem1,WEBAUTH.Auth-
Source=[Local User Repository],WEBAUTH.Host-IP-Address=127.0.0.1,
Event Log Raw Data
<139>2014-03-28 20:01:04,482 10.17.6.54 All Events 710 1 0 Timestamp=Mar 28, 2014 19:59:39 IST,Source=Endpoint
Context Server,Level=ERROR,Category=MaaS360: Communication Error,Action=Failed,Description=Failed to fetch End-
point details from MaaS360 - verify Proxy settings, Server credentials and retry.
Audit Log Raw Data
<143>2014-03-28 16:47:14,250 10.17.6.54 All Audits 30 1 0 Timestamp=Mar 28, 2014 16:46:59 IST,Source=All Au-
dits,Category=Syslog Export Data,Action=MODIFY,User=admin
ClearPass and ClearPass and Splunk Integration 70
Appendix D – Caveats
The following caveats exist when using ClearPass and Splunk as described in this document:
• If the value of any field in the Syslog message payload sent by ClearPass contains a comma (,) then only
the value that is before the comma will be used as the value of the field.
For example, if the name/value pair in ClearPass is:
ClearPass: Common.Roles=”[Employee], [User Authenticated]”
Then Splunk will only honor the first value:
Splunk: Common.Roles=”[Employee]”
• If the value of any field in the Syslog message payload sent by ClearPass contains an ‘=’ sign then only the
value that is after the ‘=’ sign will be used in Splunk.
For example, if the payload in the ClearPass Syslog message is:
Jun 3 13:08:36 10.17.6.54 2014-06-03 13:07:14,536 10.17.6.54 CPPM_System_Events 973 1 0
event_source=SnmpService,level=ERROR,category=Trap,description=Switch IP=10.17.8.67. Ignore v2c
trap. Bad security name in trap,action_key=Failed,timestamp=2014-06-03 13:05:30.023+05:30
Note that the description field has a string with an embedded ‘=’ sign. Splunk will only capture the value
before the ‘=’ sign as below:
Figure 102: Splunk Caveats > Truncated Message
ClearPass and ClearPass and Splunk Integration 71
Appendix E – Validating ClearPass Events are Received by Splunk
To check that syslog data is being received by Splunk, verify that data events are being received as shown below.
Also specifically look at the Latest Event counter to see when the last event was received.
Figure 103: Splunk > Accessing Search
Figure 104: Splunk > Search > Search Dashboard
ClearPass and ClearPass and Splunk Integration 72
You might also like
- The Big Bull of Dalal Street How Rakesh Jhunjhunwala Made His FortuneNo ratings yetThe Big Bull of Dalal Street How Rakesh Jhunjhunwala Made His Fortune157 pages
- Mastering Prometheus: Monitor your infrastructure, applications, and services with expert tips and tricksFrom EverandMastering Prometheus: Monitor your infrastructure, applications, and services with expert tips and tricksNo ratings yet
- Mastering OpenStack: Implement the latest techniques for designing and deploying an operational, production-ready private cloudFrom EverandMastering OpenStack: Implement the latest techniques for designing and deploying an operational, production-ready private cloudNo ratings yet
- System Programming Essentials with Go: System calls, networking, efficiency, and security practices with practical projects in GolangFrom EverandSystem Programming Essentials with Go: System calls, networking, efficiency, and security practices with practical projects in GolangNo ratings yet
- Protocol Buffers Handbook: Getting deeper into Protobuf internals and its usageFrom EverandProtocol Buffers Handbook: Getting deeper into Protobuf internals and its usageNo ratings yet
- 50+ App Features with Python: Implement feature-focused, code-driven Python capabilities with UX at the coreFrom Everand50+ App Features with Python: Implement feature-focused, code-driven Python capabilities with UX at the coreNo ratings yet
- Learn Ansible: Automate your cloud infrastructure, security configuration, and application deployment with AnsibleFrom EverandLearn Ansible: Automate your cloud infrastructure, security configuration, and application deployment with AnsibleNo ratings yet
- Mastering OpenStack: Design, deploy, and manage clouds in mid to large IT infrastructuresFrom EverandMastering OpenStack: Design, deploy, and manage clouds in mid to large IT infrastructuresNo ratings yet
- OpenStack Cookbook: Manage Compute, Storage and Networking through Single InterfaceFrom EverandOpenStack Cookbook: Manage Compute, Storage and Networking through Single InterfaceNo ratings yet
- Hands-On Python for DevOps: Leverage Python's native libraries to streamline your workflow and save time with automationFrom EverandHands-On Python for DevOps: Leverage Python's native libraries to streamline your workflow and save time with automationNo ratings yet
- OpenStack Trove Essentials: Build your own cloud based Database as a Service using OpenStack TroveFrom EverandOpenStack Trove Essentials: Build your own cloud based Database as a Service using OpenStack TroveNo ratings yet
- OpenStack Administration with Ansible: Design, build, and automate 10 real-world OpenStack administrative tasks with AnsibleFrom EverandOpenStack Administration with Ansible: Design, build, and automate 10 real-world OpenStack administrative tasks with AnsibleNo ratings yet
- Learning PyTorch 2.0, Second Edition: Utilize PyTorch 2.3 and CUDA 12 to experiment neural networks and deep learning modelsFrom EverandLearning PyTorch 2.0, Second Edition: Utilize PyTorch 2.3 and CUDA 12 to experiment neural networks and deep learning modelsNo ratings yet
- Mastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scriptingFrom EverandMastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scriptingNo ratings yet
- Mastering Python: A Comprehensive Approach for Beginners and BeyondFrom EverandMastering Python: A Comprehensive Approach for Beginners and BeyondNo ratings yet
- Continuous Delivery with Docker and Jenkins - Second Edition: Create secure applications by building complete CI/CD pipelines, 2nd EditionFrom EverandContinuous Delivery with Docker and Jenkins - Second Edition: Create secure applications by building complete CI/CD pipelines, 2nd EditionNo ratings yet
- Postman Cookbook: Hand-picked Solutions and Techniques across API Design, Testing, Performance, Networking, Kubernetes and IntegrationFrom EverandPostman Cookbook: Hand-picked Solutions and Techniques across API Design, Testing, Performance, Networking, Kubernetes and IntegrationNo ratings yet
- Building Python Real time Applications with Storm: Learn to process massive real-time data streams using Storm and Python—no Java required!From EverandBuilding Python Real time Applications with Storm: Learn to process massive real-time data streams using Storm and Python—no Java required!No ratings yet
- HP Aruba Certified Network Security Professional - HPE7-A02 Free Exam Questions (2024) - 7No ratings yetHP Aruba Certified Network Security Professional - HPE7-A02 Free Exam Questions (2024) - 74 pages
- HP Aruba Certified Network Security Professional - HPE7-A02 Free Exam Questions (2024) - 6No ratings yetHP Aruba Certified Network Security Professional - HPE7-A02 Free Exam Questions (2024) - 64 pages
- Implementing DevSecOps with Docker and Kubernetes: An Experiential Guide to Operate in the DevOps Environment for Securing and Monitoring Container ApplicationsFrom EverandImplementing DevSecOps with Docker and Kubernetes: An Experiential Guide to Operate in the DevOps Environment for Securing and Monitoring Container ApplicationsNo ratings yet
- HP Aruba Certified Network Security Professional - HPE7-A02 Free Exam Questions (2024) - 5No ratings yetHP Aruba Certified Network Security Professional - HPE7-A02 Free Exam Questions (2024) - 55 pages
- Hands-On Microservices with Kubernetes: Build, deploy, and manage scalable microservices on KubernetesFrom EverandHands-On Microservices with Kubernetes: Build, deploy, and manage scalable microservices on Kubernetes5/5 (1)
- Monitoring Docker: Monitor your Docker containers and their apps using various native and third-party tools with the help of this exclusive guide!From EverandMonitoring Docker: Monitor your Docker containers and their apps using various native and third-party tools with the help of this exclusive guide!No ratings yet
- TensorFlow Developer Certificate Exam Practice Tests 2024 Made EasyFrom EverandTensorFlow Developer Certificate Exam Practice Tests 2024 Made EasyNo ratings yet
- Analysis of Donations Received by Major Political Parties of Delhi FY 2013 14 and 2014 15100% (1)Analysis of Donations Received by Major Political Parties of Delhi FY 2013 14 and 2014 1517 pages
- Section 7 of The Payment of Wages Act, 1936No ratings yetSection 7 of The Payment of Wages Act, 19362 pages
- From The Colonial To The Postcolonial inNo ratings yetFrom The Colonial To The Postcolonial in4 pages
- Kafka Up and Running for Network DevOps: Set Your Network Data in MotionFrom EverandKafka Up and Running for Network DevOps: Set Your Network Data in MotionNo ratings yet
- DRC Yemen - Local Safety Rules - Mocha - 20220801No ratings yetDRC Yemen - Local Safety Rules - Mocha - 202208013 pages
- Photo Card: Surname First Name Other Name(s) Regular Intake Application Number 85RRI/ZA/4355677No ratings yetPhoto Card: Surname First Name Other Name(s) Regular Intake Application Number 85RRI/ZA/43556777 pages
- James Barracato Trashes Adam Alonso To Lane BajardiNo ratings yetJames Barracato Trashes Adam Alonso To Lane Bajardi2 pages
