topic Clearpass App for splunk via syslog but doasn't work in Getting Data In

Clearpass App for splunk via syslog but doasn't work

sdurao — Thu, 08 Oct 2020 12:41:54 GMT

Hi everybody

I installed the Clearpass TA application on my SH instance.

it collects logs via syslogs. So here is the configuration of my inputs.conf of the application

[udp://4514]
sourcetype = Aruba:CPPM:Syslog
index = cg93_clearpass

I restarted the service, but no log appears.

On my syslog server, I ran the following command : tcpdump -i eth0 port 4514
We can see that the logs have arrived at the splunk syslog server

Do you know where it can come from?

Re: Clearpass App for splunk via syslog but doasn't work

richgalloway — Thu, 08 Oct 2020 15:20:05 GMT

How does the data get from the syslog server to Splunk? The UDP input probably is not it. Do you have a universal forwarder on the syslog server? That's the usual practice.

Re: Clearpass App for splunk via syslog but doasn't work

sdurao — Fri, 09 Oct 2020 07:35:31 GMT

They are transmitted via the UDP port to our Splunk syslog server.
On the Clearpass application, UDP port 4514 has been entered.
When you type the tcpudump command (tcpdump -i eth0 port 4514), you can see that it receives the frames on the syslog.

Yes we have an UF on the Syslog server.

However, I have the impression that it does not send them to the indexer. How can I correct this?