This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
francois.devare
Cadet 1st Class
Cadet 1st Class
‎2014-03-27 19:01
1333 views

Help syslog subagent ClearPass

Hi,

I'm trying to build a syslog subagent to parse Aruba Networks ClearPass logs. So far i have got ;

<(\d+)>(\d+\-\d+\-\d+ \d\d:\d\d:\d\d),(\d+)  (\d+\.\d+\.\d+\.\d+) (\w+ \w+) (\d+) (\d+) (\d+) Timestamp=(\w+ \d+, \d+ \d\d:\d\d:\d\d \w+),(\w+)=([\w\s]+),(\w+)=([\w\s]+),(\w+)=([\w\s]+),(\w+)=(\w+),(\w+)=(\w+)[\W\s]+(\w+)(\\n([\w\s]+):[\W]+(\d+.\d+.\d+.\d+)\\n|\\n(\w+):[\W\s]+([\w\s]+)\\n(\w+[\W\s]+\w+):[\W\s]+([\w\d]+)\\n([\w\s]+):[\W]+(\d+.\d+.\d+.\d+)\\n)

But some times the log are not the same length and doesn't contains the exact same number of token or entry. I have added a sample log file.

It's my first regex flexcon/subagent, any help would be appreciated.

Thanks,

Labels (2)
Labels
logclearpass.txt.zip
0 Likes
Reply
Report Inappropriate Content
7 Replies
balahasan.v1
Fleet Admiral
Fleet Admiral
‎2014-03-30 17:12

Hi Francois,

PFA property file which is tested.. So u can continue updating this properties further on severity mapping and etc.....

I Hope this helps u buddy

Capture snap.JPG

logclearpass.sdkrfilereader.properties.zip
0 Likes
Reply
Report Inappropriate Content
francois.devare
Cadet 1st Class
Cadet 1st Class
‎2014-04-07 18:12

Hi,

I uploaded the parser override to my ConnApp. After i uploaded it to the Connector and it doesn't work.

How to i have to install this file?

0 Likes
Reply
Report Inappropriate Content
vipiao
Absent Member.
Absent Member.
‎2014-04-08 06:15

Try:

<(\d+)>(\d+-\d+-\d+\s+\d+:\d+:\d+),(\d+)\s+(\d+\.\d+\.\d+\.\d+)\s+([\w\s]+)\s+(\d+)\s+(\d+)\s+(\d+)\s+Timestamp=(.*),Source=([^,]+),(?:Level=([^,]+),)?Category=([^,]+),Action=([^,]+),(?:Description=([^,]+)[\r\n]+)?(?:User=([^,]+)[\r\n]+)?

0 Likes
Reply
Report Inappropriate Content
francois.devare
Cadet 1st Class
Cadet 1st Class
‎2014-04-08 15:51

hi,

It's not the parsing that is not working. The Connector is not using the new parser.

I have create a file clearpass_subagent.sdkrfilereader.properties and i place it in /opt/arcsight/connector_1/current/user/agent/flexagent/syslog

But the connector is still only using the generic_syslog subagent. I tried modifying the syslog.properties file and it doesn't work. I get this error:

Unable to find class definition for [clearpass_syslog]

How can i make my connector use my subagent?

0 Likes
Reply
Report Inappropriate Content
balahasan.v1
Fleet Admiral
Fleet Admiral
‎2014-04-08 18:46

Hi

Since u have set everything, Have u modified in agent.properties and checked the parser in agent regex tool

Follow the steps defined in the document below and let us know, Since the Parser order is taking the Default Syslog Parser for parsing ur Logs

0 Likes
Reply
Report Inappropriate Content
francois.devare
Cadet 1st Class
Cadet 1st Class
‎2014-04-10 14:38

Hi,

With the help of the people here i was able to create my subagent to parse ClearPass syslogs. I have attached what i created so other people can use it.

clearpass.sdkrfilereader.zip
0 Likes
Reply
Report Inappropriate Content
shezaf1
Fleet Admiral
Fleet Admiral
‎2016-03-13 05:47

To close the loop on that Aruba ClearPass now supports CEF. See .

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.