Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

...

Rw ui tabs macro
Rw tab
title1-4

Anchor
nac.aruba.audit.all
nac.aruba.audit.all
nac.aruba.audit.all

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

vhost

hostIP

ip4

 

Timestamp

str

EntityName

str

Category

str

 

Action

str

 

User

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Anchor
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit

Field

Type

Extra fields

Source field name

eventdate

timestamp

host

str

vhost

procid

str

msgid

str

tzKnown

str

swVersion

str

software

str

ip

str

enterpriseId

str

eventId

str

Action

str

Category

str

User

str

EntityName

str

CppmNode

str

Timestamp

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records

Field

Type

Extra fields

eventdate

timestamp

hostname

str

header__version

str

header__device_vendor

str

header__device_product

str

header__device_version

str

header__device_event_class_id

str

header__name

str

header__severity

str

extension__dvc

ip4

extension__fname

str

extension__rt

timestamp

extension__act

str

extension__duser

str

extension__cat

str

prefix

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit

Field

Type

Extra fields

eventdate

timestamp

hostname

str

header__version

str

header__device_vendor

str

header__device_product

str

header__device_version

str

header__device_event_class_id

str

header__name

str

header__severity

str

extension__dvc

ip4

extension__fname

str

extension__rt

timestamp

extension__act

str

extension__duser

str

extension__cat

str

prefix

str

hostchain

str

tag

str

rawMessage

str

Rw tab
title5-9

Anchor
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight

Field

Type

Source field name

Extra fields

eventdate

eventdate

 

host

host

 vhost

procid

procid

msgid

msgid

tzKnown

tzKnown

 

swVersion

swVersion

 

software

software

 

ip

ip

 

enterpriseId

enterpriseId

 

eventId

eventId

 

Username

Username

 

UpdatedAt

UpdatedAt

 

MACAddress

MACAddress

 

IPAddress

IPAddress

 

Status

Status

Conflict

Conflict

 

CppmNode

CppmNode

 

AddedAt

AddedAt

 

hostchain

hostchain

 

tag

tag

 

rawMessage

rawMessage

 

Anchor
nac.aruba.clearpass.session
nac.aruba.clearpass.session
nac.aruba.clearpass.session

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

 vhost

procid

str

 

msgid

str

 

tzKnown

str

 

swVersion

str

 

software

str

 

ip

str

 

enterpriseId

str

 

AuthType

str

 

NASName

str

 

Service

str

 

NASIPAddress

str

 

Source

str

 

AuthSource

str

EnforcementProfiles

str

ConnectionStatus

str

MonitorMode

str

LoginStatus

str

Roles

str

CppmNode

str

SystemPostureToken

str

RequestId

str

RequestTimestamp

str

AuthMethod

str

SessionLogTimestamp

str

Username

str

AlertsPresent

str

ErrorCode

str

AuditPostureToken

str

NadName

str

AuthProtocol

str

CppmErrorCodeDetails

str

CppmAlerts

str

EndpointDeviceName

str

AuthLoginStatus

str

AuthNASIPAddress

str

EndpointHostname

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.clearpass.system
nac.aruba.clearpass.system
nac.aruba.clearpass.system

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

 vhost

procid

str

 

msgid

str

 

tzKnown

str

 

swVersion

str

 

software

str

 

ip

str

 

enterpriseId

str

 

eventId

str

 

Action

str

 

Category

str

 

Description

str

 

user

str

 

role

str

authentication_source

str

session_id

str

client_ip

ip4

session_inactive_expiry_time

str

Level

str

Component

str

CppmNode

str

Timestamp

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.cppm
nac.aruba.cppm
nac.aruba.cppm

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

subtype

str

vsubtype

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

mac_address

str

id

str

nas_ip

ip4

message

str

rawSource

hostchain

str

tag

str

rawMessage

str

rawSource

Rw tab
title10-13

Anchor
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

subtype

str

vsubtype

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

mac_address

str

id

str

nas_ip

ip4

message

str

rawSource

hostchain

str

tag

str

rawMessage

str

rawSource

Anchor
nac.aruba.cppm.policy
nac.aruba.cppm.policy
nac.aruba.cppm.policy

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

id

str

session_id

str

attr_name

str

attr_value

str

flags

str

user_name

str

nas_ip

ip4

port

str

remote_address

str

priv_level

int4

authen_type

str

authen_method

str

authen_service

str

service_name

str

auth_method

str

auth_source

str

end_host_id

str

request_status

str

error_code

int4

mac_address

str

nas_port

int4

request_id

str

action_id

str

action_type

str

action_name

str

action_display_name

str

application_name

str

status_code

str

status_msg

str

req_source

str

alerts_present

int4

conn_status

str

login_status

str

write_timestamp

str

monitor_mode

str

roles

str

audit_apt

str

spt

str

enf_profiles

str

alert

str

action

str

category

str

entityname

str

user

str

auth_type

str

cpu_usage

int4

process_id

int4

res_mem_usage

int4

virt_mem_usage

int4

acct_authentic

str

acct_delay_time

str

acct_input_octets

str

acct_input_packets

str

acct_output_octets

str

acct_output_packets

str

acct_session_id

str

acct_session_time

str

acct_status_type

str

acct_terminate_cause

str

called_station_id

str

calling_station_id

str

ip_address

str

nas_port_type

str

seq_num

str

type

str

cn

str

dc

str

ou

str

authen_action

str

request_type

str

server_id

str

tacacs_profiles

str

tips_roles

str

user_session_id

str

message

str

rawMessage

hostchain

str

tag

str

Anchor
nac.aruba.cppm.system
nac.aruba.cppm.system
nac.aruba.cppm.system

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

rawSource

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

event_source

str

level

str

category

str

description

str

action

str

message

str

rawSource

hostchain

str

tag

str

Anchor
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp[3] = " ", parsedate(substring(timestamp_tmp, 0, 24), "MMM DD YYYY HH:mm:ss.SSS", ifthenelse(length(split(timestamp_tmp, " ")) = 5, split(timestamp_tmp, " ", 4), "")), ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")))

timestamp_tmp

component

str

level

str

category

str

action

str

description

str

id

str

swap_size_used

int8

slash_size_used

int8

swap_memory_avail

int8

system_memory_avail

int8

cpu_raw_user

int4

cpu_raw_nice

int4

cpu_raw_system

int4

cpu_raw_idle

int4

mgmt_inf_status

str

data_inf_status

str

uptime

int8

message

str

rawMessage

hostchain

str

tag

str

Rw tab
title14-17

Anchor
nac.aruba.os.events
nac.aruba.os.events
nac.aruba.os.events

Field

Type

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

col1

int8

error_number

int8

severity

str

ap_cassification_rule

str

process

str

message

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.other.events
nac.aruba.other.events
nac.aruba.other.events

Field

Type

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

hostchain

str

tag

str

rawMessage

str

rawSource

Anchor
nac.aruba.sessions.common
nac.aruba.sessions.common
nac.aruba.sessions.common

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Alerts

str

AlertsPresent

int4

AuditPostureToken

str

AuthType

str

ConnectionStatus

str

EnforcementProfiles

str

ErrorCode

str

HostMACAddress

str

LoginStatus

str

MonitorMode

str

NASIPAddress

str

NASPort

str

RequestId

str

RequestTimestamp

timestamp

Code Block
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

RequestTimestamp_tmp

Roles

str

Service

str

SessionLogTimestamp

timestamp

Code Block
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC"))

SessionLogTimestamp_tmp

Source

str

SystemPostureToken

str

Username

str

unknown

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Username

str

Services

str

Roles

str

AuthSource

str

AuthMethod

str

SystemPostureToken

str

EnforcementProfiles

str

HostMACAddress

str

NASIPAddress

str

ErrorCode

str

Alerts

str

RequestTimestamp

timestamp

Code Block
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

RequestTimestamp_tmp

unknown

str

hostchain

str

tag

str

rawMessage

str

Rw tab
title18-20

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

AcctAuthentic

str

AcctCalledStationId

str

AcctDelayTime

str

AcctStatusType

str

AuthMethod

str

AuthSource

str

SessionLogTimestamp

timestamp

Code Block
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

SessionLogTimestamp_tmp

AcctTimestamp

timestamp

Code Block
parsedate(AcctTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC"))

AcctTimestamp_tmp

AcctSessionId

str

AcctFramedIPAddress

ip4

AcctCallingStationId

str

AcctNASPortType

str

AcctNASPort

str

AcctNASIPAddress

ip4

AcctUsername

str

AcctInputOctets

str

AcctTerminationCause

str

unknown

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.sessions
nac.aruba.sessions
nac.aruba.sessions

Field

Type

Extra fields

eventdate

timestamp

host

str

subtype

str

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Alerts

str

AlertsPresent

int4

AuditPostureToken

str

AuthType

str

ConnectionStatus

str

EnforcementProfiles

str

ErrorCode

str

HostMACAddress

str

LoginStatus

str

MonitorMode

str

NASIPAddress

str

NASPort

str

RequestId

str

RequestTimestamp

timestamp

Roles

str

Service

str

SessionLogTimestamp

timestamp

Source

str

SystemPostureToken

str

Username

str

AcctAuthentic

str

AcctCalledStationId

str

AcctDelayTime

str

AcctStatusType

str

AuthMethod

str

AuthSource

str

AcctTimestamp

timestamp

AcctSessionId

str

AcctFramedIPAddress

ip4

AcctCallingStationId

str

AcctNASPortType

str

AcctNASPort

str

AcctNASIPAddress

ip4

AcctUsername

str

AcctInputOctets

str

AcctTerminationCause

str

unknown

str

rawMessage

str

hostchain

str

tag

str

Anchor
nac.aruba.wifi.event
nac.aruba.wifi.event
nac.aruba.wifi.event

Field

Type

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

hostname

str

error_location

str

error_id

ip4

error_number

str

severity

str

process

str

process_ip

str

username

str

user

str

usermac

str

server_name

str

server_group

str

server_ip

str

bssid

timestamp

SessionLogTimestamp_tmp

apname

timestamp

AcctTimestamp_tmp

authmethod

str

message

ip4

hostchain

str

tag

str

rawMessage

str

...

Rule 1: ClearPass Endpoint Profile events

  • Source Port → 13010

  • Source Message → CPPM_Endpoint_Profile

  • Target Tag → nac.aruba.cppm.endpoint

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 2:  ClearPass System Event events

  • Source Port → 13010

  • Source Message → CPPM_System_Event

  • Target Tag → nac.aruba.cppm.system

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 3: ClearPass System Stat events

  • Source Port → 13010

  • Source Message → CPPM_System_Stat

  • Target Tag → nac.aruba.cppm.system_stat

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 4: ClearPass Policy events

  • Source Port → 13010

  • Source Message → CPPM_

  • Target Tag → nac.aruba.cppm.policy

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 5: Aruba OS events

  • Source Port → 13010

  • Target Tag → nac.aruba.os.events

  • Select the Stop processing and Sent without syslog tag checkboxes.

...