I have configured Aruba ClearPass App for Splunk Enterprise on forwarder and indexer. Made sure data is coming on tcp 1514 and enabled port on both forwarder and indexer and configured to aruba index. Getting data into Splunk, but it is not readable. Below is raw data of it
\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD
\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD
\xFF\xF4\xFF\xFD\xFF\xF4\xFF\xFD
Below is props for this data
[Aruba:CPPM:Syslog]
SHOULD_LINEMERGE = false
TIME_PREFIX = timestamp=
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%N%Z
MAX_TIMESTAMP_LOOKAHEAD = 30
↧
