How to integrate Aruba ClearPass Policy Manager (NAC) with Graylog?

Graylog Add-ons
1

Hi there,
Does anyone have any experience in integrating Graylog with Aruba ClearPass Policy Manager?
FYI, It is a NAC with HPE Aruba Networking.
I have defined Graylog in Clearpass to send syslog messages and Graylog to receive syslog messages but when I go to “Inputs” and click on “Start input” I get FAILED error.
Any help will be appreciated.
Thanks in advance,

2

I’ll start with the last question first. The input is likely failing to start because you have defined the syslog port as 514. Although 514 is a default port for syslog, Graylog is installed as a user, and for users in Linux, all ports below 1024 are reserved. They cannot be used for inputs.

Change the Aruba Policy Manager to send syslog to some higher port. I like 5140 or 5014, because they look visually close to 514, but you may choose any higher port not already being used by another input. Change the Graylog input to use that same port and you should start to see logs come through.

Once you have logs coming in, you may want to start parsing them. That’s a different discussion though. I would suggest you close this thread once you have it collecting logs properly, then start a new topic to discuss how you might parse them. Easier to follow for you and for future users with the same questions.

3

Hi Chris,
Thanks for your support.
FYI, I have already configured UDP Port 9514 (please see below the Input configuration for Aruba Clearpass Policy Manager ):

  • allow_override_date:true

  • bind_address:0.0.0.0

  • expand_structured_data:false

  • force_rdns:false

  • number_worker_threads:2

  • override_source:

  • port:9514

  • recv_buffer_size:1048576

  • store_full_message:true

The State is shown as RUNNING but I do not observe any received message for the Input.

FYI I have checked to configure Aruba Clearpass to send syslog messages to my laptop and it is ok… on the hand I configured other Inputs in Graylog (like Switch, router, WLAN Controller) and I receive syslog messages from these other Inputs without any issue…

Do you know how to troubleshoot that?

Thanks in advance

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

5

Could be a time zone issue. Try setting the time range to all messages and see if anything shows up.

If not, you can either try changing the input to a raw/plaintext input and see if you get anything. It won’t try to parse it and should show you whatever is arriving to Graylog.