ClearPassAndELK

NOTE: I'm archiving ths repository as we are no longer using ELK to archive ClearPass transactions

Introduction

The purpose of this repository is to provide a place to store files and instructions that allow you to utilize an ELK (Elasticsearch, Logstash, Kibanna) server to store and analyze SYSLOG data from Aruba ClearPass.

The files in the repository are based of the TechNote and files provided by Aruba to configure ClearPass to Export SYSLOG data to Splunk.

Repository Contents

Currently the files in the repository include:

• SylogExportData.xml - an XML file that you can edit and then import into ClearPass to configure it to send data to an ELK Server.
• 10-logstash-syslog.conf - a sample Logstash configuration file that will process the SYSLOG events generated by ClearPass and store them in an Elasticsearch cluster.

My plan is to add more files as I learn more about how analyze the data in the Elasticsearch database using Kibanna.

Instructions

1. Setup an ELK server: While a comprehensive set of instructions for setting up an ELK Server would run many pages, below are some great links to help you get started:

   1. elastic.co provides commercial support for ELK and is the the authoritative source for documentation.
   2. Digital Ocean provides an excellent tutorial for installing an ELK server on Ubuntu 14.04LTS.
   3. James Turnbull's "The Logstash Book" is also an excellent resource.

2. Use the 10-logstash-syslog.conf file from the repository to configure Logstash to receive events from ClearPass.

3. Configure ClearPass:

   1. Edit the SyslogExportData.xml file and replace the words change.me with the IP address of your ELK server.
   2. Import the SyslogExportData.xml file into the "Administration->External Servers->Syslog Export Filters" section of ClearPass.