Re: Clearpass app not displaying important field i...

Iwdavies · ‎12-10-2018

The Clearpass app is displaying data, however, it is missing populating major fields. when I look at the Search I also see these field missing in the search interesting fields, even though these fields exist in the raw data. Here is a list of the missing fields:

user_name
mac_addrees
ip_address
mac_vendor

There may be more but it just appears that the indexer isn't indexing these fields....

Any ideas?

Iwdavies · ‎12-11-2018

Here is an example of data that is being indexed but certain fields are missing from the "interesting fields". I have placed xxxx to remove certain data. Fields that are bold don't appear in the interesting field list:

Dec 11 14:55:48 x.x.x.x 2018-12-11 14:55:48,962 x.x.x.x CPPM_Dashboard_Summary 2957 1 0 session_id=R00005531-01-5c10400b,req_source=RADIUS,user_name=xxxxxxx,service_name=Employee Onboarding Onboard Provisioning,alerts_present=0,nas_ip=x.x.x.x,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=xxxxxxxxxxxx,timestamp=2018-12-11 14:54:04-08,write_timestamp=2018-12-11 14:54:05.435015-08

Iwdavies · ‎12-11-2018

Here is an example of information in the log. bolded fields don't appear in the interesting fields section and x's have been used to replace certain values:

Dec 11 14:55:48 x.x.x.x 2018-12-11 14:55:48,962 x.x.x.x CPPM_Dashboard_Summary 2957 1 0 session_id=R00005531-01-5c10400b,req_source=RADIUS,user_name=xxxxxx,service_name=Employee Onboarding Onboard Provisioning,alerts_present=0,nas_ip=x.x.x.x,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=xxxxxxxxxxxx,timestamp=2018-12-11 14:54:04-08,write_timestamp=2018-12-11 14:54:05.435015-08

prakash007 · ‎12-10-2018

What version of Splunk are you on...??
If you are on 7.2 and above, there is a change in Fieldalias behavior, you might have to check you props.conf...

https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html

Iwdavies · ‎12-11-2018

I'm not sure the field alias is the right issue. There are no "interesting fields" that would even hint as a user_name. or any of the other issues at top. It just isn't parsing the fields appropriately to generate the "interesting fields".

prakash007 · ‎12-11-2018

when you look into your clearpass app in splunk, you can see the missing fields that are aliased here... i.e $SPLUNK_HOME/etc/apps/ClearPassOnSplunk_2/default/props.conf..

FIELDALIAS-cppm-24 = framed_ip_address AS ip_address
FIELDALIAS-cppm-016 = username as user_name
FIELDALIAS-cppm-acctnasip = nas_ip_address AS nas_ip
FIELDALIAS-cppm-019 = nad_ip AS nas_ip
FIELDALIAS-cppm-910 = host_mac AS mac_address
FIELDALIAS-cppm-911 = end_host_id AS mac_address
FIELDALIAS-cppm-911 = mac_address AS end_host_id
#FIELDALIAS-cppm-host = ClearPass_Server AS host

Let's take FIELDALIAS-cppm-24 = framed_ip_address AS ip_address, in this case you need to have either ip_address or framed_ip_address in your raw data, due to a change in FIELDALIAS behavior in 7.2...you have to change your configs like this...

#FIELDALIAS-cppm-24 = framed_ip_address AS ip_address
EVAL-ip_address = coalesce(ip_address, framed_ip_address)

so, before making any changes, I would check the raw logs on the source host(may be a syslog) to make sure I have the required fields in the log file itself or Splunk is not parsing the fields correctly...??

Iwdavies · ‎12-10-2018

We are using 7.2. I'm looking at the information you supplied and it is probably on the right track. I just don't know splunk well enough to understand how to configure the props.conf file and what the Fieldalias configs should look like. I'll write back when I know if that is the problem or not.

Clearpass app not displaying important field in dashboards

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!