Device Details
Device Name | Aruba Clear Pass |
---|---|
Vendor | Aruba |
Device Type | Policy Management Platform |
Supported Model Name/Number | N/A |
Supported Software Version(s) | N/A |
Collection Method | Syslog |
Configurable Log Output? | N/A |
Log Source Type | Syslog – Aruba Clear Pass |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | Adding a Syslog Target – Aruba Adding a Syslog Export Filter – Aruba |
Prerequisites
- Access to Aruba Clear Pass platform.
- Port 514 TCP/UDP allowed from Aruba Clear Pass to LogRhythm System Monitor Agent.
- Port 514 TCP/UDP allowed on LogRhythm System Monitor Agent to receive syslog packets from Aruba Clear Pass.
- LogRhythm Global Admins or Restricted Admins with elevated View and Manage privileges.
Configure Aruba Clear Pass
Add a Syslog Target
To add a syslog target:
- Click Administration, and then External Servers.
- Click Syslog Targets.
The Syslog Targets page opens. - Click Add.
TheAdd Syslog Targetdialog opens. Specify the following Add Syslog Target parameters:
Parameter Description Host Address Enter the syslog server hostname or IP address. Description Enter a short description of the syslog server. Protocol Select either TCP or UDP. Server Port The default port number is 514. - Click Save.
The new Syslog Target is added to the list.
Add a Syslog Export Filter
To add a syslog export filter:
- Click Administration, and thenExternal Servers.
- Click Syslog Export Filters.
- Click Add.
The Add Syslog Filterspage opens to theGeneraltab. Specify the following:
Parameter Description Name Name of the syslog export filter.
Description Enter a short description for the syslog export filter. Export Event Format Type SelectStandardto use the default event format. Syslog Servers Define the receivers of syslog messages using theSelect to Adddrop-list. - ClickSave.
Configure LogRhythm
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take these actions.
Confirm the Syslog Server is Enabled
- In the Client Console on the main toolbar, clickDeployment Manager.
- Click theSystem Monitorstab.
- Double-click the System Monitor Agent that collects the logs.
The System Monitor Agent Properties dialog box appears. - Click theSyslog and Flow Settingstab.
- Click theEnable Syslog Servercheck box.
- ClickOK.
Restart the LogRhythm System Monitor Service
- On the System Monitor Agent host, right-click the Windows Startmenu, and then clickRun.
The Run dialog box appears. - In the Open field, enterservices.msc, and then click OK.
The Services console appears. - Right-click LogRhythm System Monitor Service, and then clickRestart.
Verify the System Monitor Agent is Connected
After restarting the LogRhythm System Monitor Service, you need to verify that the Agent is listening for the TCP/UDP connection on default port 514.
- On the System Monitor Agent host, right-click the Windows Startmenu, and then clickCommand Prompt.
The Command Prompt dialog box appears. Execute the following command:
POWERSHELL
netstat -ano | findstr :514
Example of expected output:
Ensure that the firewall on the Agent machine is allowing the incoming connection over TCP/UDP on port 514.
Configure LogRhythm to Collect Logs
Resolve Log Source Hosts
- On the main toolbar, clickDeployment Manager.
- Click theLog Sourcestab.
- In the New Log Sources grid, select theActioncheck box of the Syslog – Aruba Clear Pass log source.
- Right-click the selection, clickActions, and then clickResolve Log Source Hosts.
The Resolve Known Hosts Complete dialog box appears. - ClickOK.
Confirm Log Source Acceptance Properties
- On the main toolbar, clickDeployment Manager.
- Click theLog Sourcestab.
- In the New Log Sources grid, select theActioncheck box of the Syslog – Aruba Clear Pass log source.
- Right-click the selection,and then clickProperties.
The Log Source Acceptance Properties dialog box appears. - Confirm the Device IP Address matches the IP address of the Aruba Clear Pass device.
- (Optional)Change the Log Source Name, if desired.
- To the right of the Log Source Type field, click the...selector.
The Log Source Type Selector dialog box appears. - In the Text Filter field, enterSyslog – Aruba Clear Pass, and then clickApply.
- In the Log Source Type section, clickSystem : Syslog - Aruba Clear Pass, and then clickOK.
The Log Source Acceptance Properties dialog box appears. - Click the field under MPE Policy, and then clickLogRhythm Default.
- ClickOK.
Accept the New Log Source
- On the main toolbar, clickDeployment Manager.
- Click theLog Sourcestab.
- In the New Log Sources grid, select theActioncheck box of the Syslog – Aruba Clear Pass.
- Right-click the selection, clickActions, clickAccept, and then clickDefaults.
The Accept Successful dialog box appears. - ClickOK.
The Syslog – Aruba Clear Pass Log source moves from the New Log Sources list to the existing list in at the bottom of the screen.
Tail the Log Source
- On the main toolbar, clickDeployment Manager.
- Click theLog Sourcestab.
- In the grid below the New Log Sources grid, select theActioncheck box of the Syslog – Aruba Clear Pass log source.
- Right-click the selection, clickActions, and then clickTail Log Source(s).