ClearPass Policy Manager - CEF Export Configuration Guide

Summary:

Based on the provided information, here are two event examples formatted in LEEF (Log Event Enhanced Format) for session logs: ### Event 1: ```leef Timestamp=2014-12-02 15:35:14.944 IST | RADIUS Attributes: Calling-Station-Id=00:88:57:2d:12:a4, Framed-IP-Address=192.167.203.170, Auth-Method=PAP, Timestamp=2014-12-02 15:32:47+05:30, NAS IP Address=10.17.4.206, Service Name=Authenticate-Only, Session Time=565 seconds, NAS Port=0, Session ID=R000a5038-01-547d8e47, NAS Port Type=Wireless-802.11, Output Octets=412895267, Username=A_user706, Input Octets=665942581 ``` ### Event 2: ```leef Timestamp=2014-12-02 15:35:14.944 IST | RADIUS Attributes: Calling-Station-Id=00:88:57:2d:12:a4, Framed-IP-Address=192.167.203.170, Auth-Method=PAP, Timestamp=Dec 02 2014 15:32:47.000 IST, NAS IP Address=10.17.4.206, Service Name=Authenticate-Only, Session Time=3155 seconds, NAS Port=0, Session ID=R00001316-01-547c3b5a, NAS Port Type=Wireless-802.11, Output Octets=578470212, Username=A_user2, Input Octets=786315664 ``` ### Explanation: Each event is represented in the LEEF format with a timestamp at the beginning followed by the RADIUS attributes. The timestamp is standardized to include milliseconds and timezone details. The RADIUS attributes are listed under a single key, "RADIUS Attributes:", which contains all relevant information as specified in the provided text. ### Key Points: - **Timestamp**: Both events share the same format with millisecond precision and timezone included. - **RADIUS Attributes**: Details include Calling-Station-Id, Framed-IP-Address, Auth-Method, Timestamp, NAS IP Address, Service Name, Session Time, NAS Port, Session ID, NAS Port Type, Output Octets, Username, and Input Octets. - **Consistency**: The NAS IP Address remains consistent across both events, while other attributes vary between the two entries. This standardized format allows for easy parsing and analysis of log data, facilitating efficient incident response and forensic investigations in network security operations.

Details:

The article "Adding a Syslog Filter" on Aruba Networks' technical documentation provides step-by-step instructions for configuring a syslog export filter within the ClearPass Policy Manager (CPPM) platform. This involves navigating through the General tab of the Administration > External Servers > Syslog Export Filters > Add page, where essential parameters such as Name, Description, Export Template, and Export Event Format are configured. The process begins with entering a descriptive name for the syslog export filter in the 'Name' field. An optional description can also be added to provide further context or information about the filter. For specific use cases like Insight Logs or Session Logs, users must select an appropriate export template; this selection automatically enables additional configuration options in the Filter and Columns tab. The Export Event Format parameter allows for choosing between standard syslog format, Log Enhanced Event Format (LEEF), or Common Event Format (CEF). This choice impacts how event data is encoded before being sent to the Syslog servers specified under the Syslog Servers parameter. Users can either manually add Syslog servers from a dropdown list or view details of existing ones. This guide offers detailed explanations and examples for each configuration option, ensuring users understand their choices and can tailor the syslog export filter according to their specific needs and the type of events they wish to monitor or report on. The text provides instructions for managing syslog servers and filters in a ClearPass system, which is part of Aruba Networks' product documentation. Here’s a summary of the key points: 1. **Syslog Server Management**: Users can add or remove syslog servers from the list by selecting them and clicking 'Modify' or 'Remove', respectively. If the server isn't listed, they should click 'Add new Syslog target'. The system allows choosing to send messages from a single ClearPass server in the cluster or all of them. 2. **ClearPass Server Management**: Users can add or remove ClearPass servers by selecting them from the 'Select to Add' dropdown list and clicking 'Remove', respectively. When no servers are listed, syslog messages are sent from all servers in the cluster. 3. **Syslog Filter Templates**: The documentation provides examples of Standard, LEEF, and CEF event format types for syslog export filter templates. For instance, an example of a Standard event format type used in Audit Events is provided:

• "Mar 20 21:18:56 10.17.5.228 2015-01-19 21:19:50,118 10.17.5.228 Audit Logs 96 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=clusteradmin,Category=Endpoint,Action=ADD,EntityName=34a39527afc0,src=10.17.5.228,Timestamp=Jan 19, 2015 21:18:54 IST"

• Another example shows a modification event in the Cluster-wide Parameter context: "Mar 20 21:20:56 10.17.5.228 2015-01-19 21:21:50,111 10.17.5.228 Audit Logs 97 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=admin,Category=Cluster-wide Parameter,Action=MODIFY,EntityName=Endpoint Context Servers polling interval,src=10.17.5.228,Timestamp=Jan 19, 2015 21:20:22 IST"

This documentation is crucial for configuring and troubleshooting syslog settings in a ClearPass environment to ensure proper message handling and data export. The provided text appears to be a log file containing multiple entries with standardized event format details for both System Events and Session Events as per the syslog export filter template. Each entry includes specific fields such as timestamp, source IP address, description, category, action, level, component, and other relevant information which are critical in system monitoring and event logging. For System Events:

• The log entries include a detailed format with fixed fields like timestamp (formatted in 'yyyy-MM-dd HH:mm:ss,S'), description of the event, client IP address, category, action, level, source IP address, component, and original timestamp in IST format.

• Examples include user login events and system error logs indicating issues like failed service starts or actions performed on specific components.

For Session Events:

• The log entries follow a similar standardized structure but are related to Radius Session Logs with additional RADIUS protocol specific details such as NAS IP address, authentication methods, timestamps, and other RADIUS attributes which may not be applicable for System Events.

These logs are crucial in troubleshooting and maintaining the performance of systems or services by providing detailed records of system events including user activities and technical errors that might indicate issues requiring immediate attention or analysis to optimize operations. The provided log entries detail interactions between a RADIUS and TACACS server using the EAP-PEAP and MSCHAPv2 authentication methods. The logs include information such as session IDs, IP addresses, timestamps, port types, packet counts, octet counts, termination causes, service names, and status types. Here are the key points: 1. **RADIUS Session Logs:**

• **Client Details:**

• Source IP Address: `src=10.17.5.211`

• Common Host MAC Address: `e0f8471a5450`

• Username: `test1`

• **Session Information:**

• Session ID: `test1E0F8471A5450-54BE336C`

• Called Station ID: `000B8661CD70`

• NAS Port Type: `Wireless-802.11`

• **Authentication Details:**

• Source: `AD:win2008R2-64bit.bangalore.avendasys.com`

• Methods: EAP-PEAP, MSCHAPv2

• Authenticator: RADIUS

• **Service Information:** `Test Post Authentication Rules`

• **Timestamps and IP Addresses:**

• Request Timestamp: `2015-01-20 16:31:45+05:30` (First entry)

• Acct Timestamp: `2015-01-20 16:31:50+05:30` (Acct section of log)

• **Session Metrics:**

• Delay Time: `0`

• Input/Output Packets and Octets are not provided in the logs.

2. **TACACS Authentication Logs:**

• **Request Type:** TACACS_AUTHORIZATION

• **Enforcement Profiles:** ``

• **Authentication Details:** No specific authentication method mentioned, but it uses TACACS protocol as indicated by the Service field which is null.

• **Session Information:** Session ID not provided in the logs.

• **Timestamps and IP Addresses:**

• Request Timestamp: `2015-01-20 16:31:45+05:30` (Common.Request-Timestamp)

• **Session Metrics:** Not applicable as it is a TACACS log entry, not RADIUS.

These logs provide insights into the authentication and session initiation details between a client (`test1`) connecting through a wireless network to a NAS (`10.17.4.7` identified by `RADIUS.Acct-NAS-IP-Address=10.17.4.7`) using EAP-PEAP and MSCHAPv2, with no specific termination cause or service name mentioned in the provided log excerpts. The provided text appears to be a log entry from a network device or system, specifically related to authentication and event logging. Here's a summary of the key information contained within the log entries: 1. **Timestamp**: The logs include multiple timestamps in different formats, including one with an offset (e.g., 2015-01-20 16:34:54.647+05:30). This indicates that these events occurred within the specified time frame around January 20th, 2015. 2. **Authentication Type**: The log entries specify different authentication methods used (e.g., TACACS.Authen-Method=AUTHEN_METH_TACACSPLUS and RADIUS). This suggests that various forms of authentication were attempted or logged on the system, possibly related to network access for users identified by usernames like 'a' and 'keerthi'. 3. **Authentication Source**: The logs indicate that the authentication source was either from a local user repository or an external RADIUS server (e.g., Auth.Source=Bangalore AD and Auth.Protocol=RADIUS). 4. **Service Context**: Various services are mentioned in context with authentication, such as "Policy Manager Admin Network Login Service" for TACACS and "Test Post Authentication Rules" for RADIUS. This suggests that these logs are related to user access attempts managed by network policies or specific service rules. 5. **Event Details**: Each log entry provides detailed information about the event type (e.g., authentication action, request type), which can be crucial for troubleshooting and auditing purposes in a network environment. 6. **Endpoint Information**: There are mentions of devices or endpoints involved ("src=10.17.5.228" and "src=10.17.5.211"), but these entries do not provide enough detail to confirm if they refer to client devices, network elements, or other components in the network architecture. The format of the log entries follows a structured pattern with key-value pairs separated by commas, which is typical for syslog messages where each field has a specific meaning according to the defined template (e.g., Syslog Export Filter Template). This standardized format allows for efficient parsing and analysis using automated tools or scripts. The provided examples illustrate two different log formats used in network security logs, specifically focused on authentication events. **LEEF Event Format:** This format is described as follows:

• **Timestamp**: Dec 03 2014 16:50:44.085 IST (Indicates the date and time of the log entry in Indian Standard Time)

• **Source IP Address**: 10.17.4.208

• **LEEF Version**: 1.0

• **Vendor & Product**: Aruba Networks|ClearPass, version 6.5.0.69058

• **Event ID and Subtype**: 0-1-0 (This seems to be a generic event type with further details)

• **Authentication Details**:

• **Username**: host/Asif-Test-PC2

• **Authorization Sources**: null

• **Login Status**: 216

• **Request Timestamp**: 2014-12-03 16:48:41+05:30

• **Protocol**: RADIUS

• **Source**: null

• **Enforcement Profiles**:

• **NAS Port**: null

• **SSID**: cppm-dot1x-test

• **Timestamp Format**: MMM dd yyyy HH:mm:ss.SSS z (Month, Day, Year, Hour, Minute, Second, Millisecond, and timezone)

• **NAS Port Type**: 19

• **Error Code**: 216

• **Roles**: null

• **Service**: Test Wireless

• **Host MAC Address**: 6817294b0636

• **Unhealthy Status**: null

• **NAS IP Address**: 10.17.4.7 (Source IP address is also recorded here)

• **Additional Fields**: src=10.17.4.208, Auth.CalledStationId=000B8661CD70, Auth.NAS-Identifier=ClearPassLab3600

**CEF Event Format:** This format is described as follows:

• **Timestamp**: Dec 03 2014 16:31:28.861 IST

• **Source IP Address**: 10.17.4.208

• **CEF Version**: 0

• **Vendor & Product**: Aruba Networks|ClearPass, version 6.5.0.69058

• **Event ID and Subtype**: Insight Logs|0 (This is a specific event type under the ClearPass product)

• **Authentication Details**: Similar to LEEF format but integrated into CEF:

• **Username**: host/Asif-Test-PC2

• **Authorization Sources**: null

• **Login Status**: 216

• **Request Timestamp**: 2014-12-03 16:28:20+05:30

• **Protocol**: RADIUS

• **Source**: null

• **Enforcement Profiles**:

• **NAS Port**: null

• **SSID**: cppm-dot1x-test

• **Timestamp Format**: MMM dd yyyy HH:mm:ss.SSS zzz (Note the inclusion of 'zzz' which might indicate a more detailed timezone representation)

• **NAS Port Type**: 19

• **Error Code**: 216

• **Roles**: null

• **Service**: Test Wireless

• **Host MAC Address**: 6817294b0636

• **Unhealthy Status**: null

• **NAS IP Address**: 10.17.4.7 (Source IP address is also recorded here)

• **Additional Fields**: src=10.17.4.208, Auth.CalledStationId=000B8661CD70, Auth.NAS-Identifier=ClearPassLab3600

Both formats are used to log authentication events in a standardized way that includes detailed information about the event context and device details, which is useful for forensic analysis and troubleshooting network security incidents. These examples illustrate different syslog export filter templates for various types of logs, including Audit Logs, System Events, and Session Logs, using the LEEF (Log Event Extension Format) and CEF (Common Event Format). Each example includes specific details such as timestamps, IP addresses, device information, event categories, severity levels, descriptions, user identities, and other relevant fields. The templates are used to standardize the format of log data for easier analysis and integration across different systems. The provided text describes two events in the LEEF (Log Event Enhanced Format) event format type for session logs, which are being exported via syslog with a specific template. Each event includes various RADIUS attributes such as timestamps, NAS IP addresses, port types, octets, usernames, calling station IDs, framed IP addresses, and authentication methods. The first event occurred on Dec 02, 2014, at 15:35:14.944 IST with the following details:

• RADIUS attributes: Calling-Station-Id=00:88:57:2d:12:a4, Framed-IP-Address=192.167.203.170, Auth-Method=PAP, Timestamp=2014-12-02 15:32:47+05:30, NAS IP Address=10.17.4.206, Service Name=Authenticate-Only, Session Time=565 seconds, NAS Port=0, Session ID=R000a5038-01-547d8e47, NAS Port Type=Wireless-802.11, Output Octets=412895267, Username=A_user706, Input Octets=665942581

The second event occurred on the same date and time but with different details:

• RADIUS attributes: Calling-Station-Id=00:88:57:2d:12:a4 (same as above), Framed-IP-Address=192.167.203.170, Auth-Method=PAP, Timestamp=Dec 02 2014 15:32:47.000 IST, NAS IP Address=10.17.4.206, Service Name=Authenticate-Only, Session Time=3155 seconds, NAS Port=0, Session ID=R00001316-01-547c3b5a, NAS Port Type=Wireless-802.11, Output Octets=578470212, Username=A_user2, Input Octets=786315664

Both events share the same RADIUS attributes for Calling-Station-Id and Framed-IP-Address but have different values for other attributes like Auth-Method, Timestamp, Session Time, Output Octets, and Username. The NAS IP Address is consistent across both events as well.