Table of Contents |
---|
maxLevel | 2 |
---|
minLevel | 2 |
---|
type | flat |
---|
|
Introduction
Tags that start with nac.aruba
identify all log events generated by Aruba Networks ClearPass and Aruba OS.
For information about ClearPass, see the vendor website.
...
Valid tags and data tables
The full nac.
aruba aruba
tags have four levels. The first two are fixed as nac.aruba
. The third level identifies the service type and must be one of cppm (for ClearPass Policy Manager events) or os (for Aruba OS events). The fourth level of the tag identifies the event type.
...
03:51:52,778 10.101.3.40 CPPM_Alert 2378010 1 0 session_id=...
...
Technology
...
Brand
...
Type
...
Subtype 1
...
Subtype 2
...
nac
...
aruba
...
...
endpoint
system
system_stat
policy
...
...
...
...
-
These are the valid tags and the types of events that correspond to each:
Tag/table name | Event types* |
---|
nac.aruba.cppm.endpoint | CPPM_Endpoint_Profile |
nac.aruba.cppm.system | CPPM_System_Event |
nac.aruba.cppm.system_stat | CPPM_System_Stat |
nac.aruba.cppm.policy | CPPM_Alert CPPM_Audit_Record CPPM_Dashboard_Summary CPPM_Policy_Server_Session CPPM_Post_Auth_Monit_Config CPPM_Proc_Stats CPPM_RADCOA_Session_Log CPPM_RADIUS_Accounting CPPM_RADIUS_Accounting_Detail CPPM_RADIUS_Session CPPM_Session_Detail CPPM_TACACS_Accounting_Detail CPPM_TACACS_Accouting_Record CPPM_TACACS_Session |
nac.aruba.os.events | Aruba OS log events |
* As the names of the event types can be customized for each installation, the event type names in this table are meant for guidance only.
When the events are delivered to Devo, they will be accessible in the Finder in tables of the same names.These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|
Aruba ClearPass | nac.aruba.audit.all
| nac.aruba.audit.all
|
nac.aruba.clearpass.audit
| nac.aruba.clearpass.audit
|
nac.aruba.clearpass.audit_records
| nac.aruba.clearpass.audit_records
|
nac.aruba.clearpass.configuration_audit
| nac.aruba.clearpass.configuration_audit
|
nac.aruba.clearpass.insight
| nac.aruba.clearpass.insight
|
nac.aruba.clearpass.session
| nac.aruba.clearpass.session
|
nac.aruba.clearpass.system
| nac.aruba.clearpass.system
|
nac.aruba.cppm
| nac.aruba.cppm
|
nac.aruba.cppm.endpoint
| nac.aruba.cppm.endpoint
|
nac.aruba.cppm.policy
| nac.aruba.cppm.policy
|
nac.aruba.cppm.system
| nac.aruba.cppm.system
|
nac.aruba.cppm.system_stat
| nac.aruba.cppm.system_stat
|
nac.aruba.os.events
| nac.aruba.os.events
|
nac.aruba.other.events
| nac.aruba.other.events
|
nac.aruba.sessions.common
| nac.aruba.sessions.common
|
nac.aruba.sessions.failed_authentications
| nac.aruba.sessions.failed_authentications
|
nac.aruba.sessions.radius
| nac.aruba.sessions.radius
|
nac.aruba.sessions
| nac.aruba.sessions
|
nac.aruba.wifi.event
| nac.aruba.wifi.event
|
For more information, read more about Devo tags.
Tag structure
These are the fields displayed in these tables:
Rw ui tabs macro |
---|
Anchor |
---|
| nac.aruba.audit.all |
---|
| nac.aruba.audit.all |
---|
| nac.aruba.audit.allField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | host | str
| vhost | | hostIP | ip4
| | | Timestamp | str
| | | EntityName | str
| | | Category | str
| | | Action | str
| | | User | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
Anchor |
---|
| nac.aruba.clearpass.audit |
---|
| nac.aruba.clearpass.audit |
---|
| nac.aruba.clearpass.auditField | Type | Extra fields | Source field name |
---|
eventdate | timestamp
| | | host | str
| | vhost | procid | str
| | | msgid | str
| | | tzKnown | str
| | | swVersion | str
| | | software | str
| | | ip | str
| | | enterpriseId | str
| | | eventId | str
| | | Action | str
| | | Category | str
| | | User | str
| | | EntityName | str
| | | CppmNode | str
| | | Timestamp | str
| | | hostchain | str
| ✓ | | tag | str
| ✓ | | rawMessage | str
| | |
Anchor |
---|
| nac.aruba.clearpass.audit_records |
---|
| nac.aruba.clearpass.audit_records |
---|
| nac.aruba.clearpass.audit_recordsField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | header__version | str
| | header__device_vendor | str
| | header__device_product | str
| | header__device_version | str
| | header__device_event_class_id | str
| | header__name | str
| | header__severity | str
| | extension__dvc | ip4
| | extension__fname | str
| | extension__rt | timestamp
| | extension__act | str
| | extension__duser | str
| | extension__cat | str
| | prefix | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
Anchor |
---|
| nac.aruba.clearpass.configuration_audit |
---|
| nac.aruba.clearpass.configuration_audit |
---|
| nac.aruba.clearpass.configuration_auditField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | header__version | str
| | header__device_vendor | str
| | header__device_product | str
| | header__device_version | str
| | header__device_event_class_id | str
| | header__name | str
| | header__severity | str
| | extension__dvc | ip4
| | extension__fname | str
| | extension__rt | timestamp
| | extension__act | str
| | extension__duser | str
| | extension__cat | str
| | prefix | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Anchor |
---|
| nac.aruba.clearpass.insight |
---|
| nac.aruba.clearpass.insight |
---|
| nac.aruba.clearpass.insightField | Type | Source field name | Extra fields |
---|
eventdate | eventdate
| | | host | host
| vhost | | procid | procid
| | | msgid | msgid
| | | tzKnown | tzKnown
| | | swVersion | swVersion
| | | software | software
| | | ip | ip
| | | enterpriseId | enterpriseId
| | | eventId | eventId
| | | Username | Username
| | | UpdatedAt | UpdatedAt
| | | MACAddress | MACAddress
| | | IPAddress | IPAddress
| | | Status | Status
| | | Conflict | Conflict
| | | CppmNode | CppmNode
| | | AddedAt | AddedAt
| | | hostchain | hostchain
| | ✓ | tag | tag
| | ✓ | rawMessage | rawMessage
| | |
Anchor |
---|
| nac.aruba.clearpass.session |
---|
| nac.aruba.clearpass.session |
---|
| nac.aruba.clearpass.sessionField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | host | str
| vhost | | procid | str
| | | msgid | str
| | | tzKnown | str
| | | swVersion | str
| | | software | str
| | | ip | str
| | | enterpriseId | str
| | | AuthType | str
| | | NASName | str
| | | Service | str
| | | NASIPAddress | str
| | | Source | str
| | | AuthSource | str
| | | EnforcementProfiles | str
| | | ConnectionStatus | str
| | | MonitorMode | str
| | | LoginStatus | str
| | | Roles | str
| | | CppmNode | str
| | | SystemPostureToken | str
| | | RequestId | str
| | | RequestTimestamp | str
| | | AuthMethod | str
| | | SessionLogTimestamp | str
| | | Username | str
| | | AlertsPresent | str
| | | ErrorCode | str
| | | AuditPostureToken | str
| | | NadName | str
| | | AuthProtocol | str
| | | CppmErrorCodeDetails | str
| | | CppmAlerts | str
| | | EndpointDeviceName | str
| | | AuthLoginStatus | str
| | | AuthNASIPAddress | str
| | | EndpointHostname | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
Anchor |
---|
| nac.aruba.clearpass.system |
---|
| nac.aruba.clearpass.system |
---|
| nac.aruba.clearpass.systemField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | host | str
| vhost | | procid | str
| | | msgid | str
| | | tzKnown | str
| | | swVersion | str
| | | software | str
| | | ip | str
| | | enterpriseId | str
| | | eventId | str
| | | Action | str
| | | Category | str
| | | Description | str
| | | user | str
| | | role | str
| | | authentication_source | str
| | | session_id | str
| | | client_ip | ip4
| | | session_inactive_expiry_time | str
| | | Level | str
| | | Component | str
| | | CppmNode | str
| | | Timestamp | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
Anchor |
---|
| nac.aruba.cppm |
---|
| nac.aruba.cppm |
---|
| nac.aruba.cppmField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| | vhost | | subtype | str
| | vsubtype | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| Code Block |
---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | mac_address | str
| | | | id | str
| | | | nas_ip | ip4
| | | | message | str
| | rawSource | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
Anchor |
---|
| nac.aruba.cppm.endpoint |
---|
| nac.aruba.cppm.endpoint |
---|
| nac.aruba.cppm.endpointField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| | vhost | | subtype | str
| | vsubtype | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| Code Block |
---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | mac_address | str
| | | | id | str
| | | | nas_ip | ip4
| | | | message | str
| | rawSource | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
Anchor |
---|
| nac.aruba.cppm.policy |
---|
| nac.aruba.cppm.policy |
---|
| nac.aruba.cppm.policyField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | rawMessage | str
| | | ✓ | host | str
| | vhost | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| Code Block |
---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | id | str
| | | | session_id | str
| | | | attr_name | str
| | | | attr_value | str
| | | | flags | str
| | | | user_name | str
| | | | nas_ip | ip4
| | | | port | str
| | | | remote_address | str
| | | | priv_level | int4
| | | | authen_type | str
| | | | authen_method | str
| | | | authen_service | str
| | | | service_name | str
| | | | auth_method | str
| | | | auth_source | str
| | | | end_host_id | str
| | | | request_status | str
| | | | error_code | int4
| | | | mac_address | str
| | | | nas_port | int4
| | | | request_id | str
| | | | action_id | str
| | | | action_type | str
| | | | action_name | str
| | | | action_display_name | str
| | | | application_name | str
| | | | status_code | str
| | | | status_msg | str
| | | | req_source | str
| | | | alerts_present | int4
| | | | conn_status | str
| | | | login_status | str
| | | | write_timestamp | str
| | | | monitor_mode | str
| | | | roles | str
| | | | audit_apt | str
| | | | spt | str
| | | | enf_profiles | str
| | | | alert | str
| | | | action | str
| | | | category | str
| | | | entityname | str
| | | | user | str
| | | | auth_type | str
| | | | cpu_usage | int4
| | | | process_id | int4
| | | | res_mem_usage | int4
| | | | virt_mem_usage | int4
| | | | acct_authentic | str
| | | | acct_delay_time | str
| | | | acct_input_octets | str
| | | | acct_input_packets | str
| | | | acct_output_octets | str
| | | | acct_output_packets | str
| | | | acct_session_id | str
| | | | acct_session_time | str
| | | | acct_status_type | str
| | | | acct_terminate_cause | str
| | | | called_station_id | str
| | | | calling_station_id | str
| | | | ip_address | str
| | | | nas_port_type | str
| | | | seq_num | str
| | | | type | str
| | | | cn | str
| | | | dc | str
| | | | ou | str
| | | | authen_action | str
| | | | request_type | str
| | | | server_id | str
| | | | tacacs_profiles | str
| | | | tips_roles | str
| | | | user_session_id | str
| | | | message | str
| | rawMessage | | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
Anchor |
---|
| nac.aruba.cppm.system |
---|
| nac.aruba.cppm.system |
---|
| nac.aruba.cppm.systemField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | rawMessage | str
| | rawSource | ✓ | host | str
| | vhost | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| Code Block |
---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | event_source | str
| | | | level | str
| | | | category | str
| | | | description | str
| | | | action | str
| | | | message | str
| | rawSource | | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
Anchor |
---|
| nac.aruba.cppm.system_stat |
---|
| nac.aruba.cppm.system_stat |
---|
| nac.aruba.cppm.system_statField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | rawMessage | str
| | | ✓ | host | str
| | vhost | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| Code Block |
---|
ifthenelse(timestamp_tmp[3] = " ", parsedate(substring(timestamp_tmp, 0, 24), "MMM DD YYYY HH:mm:ss.SSS", ifthenelse(length(split(timestamp_tmp, " ")) = 5, split(timestamp_tmp, " ", 4), "")), ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))) |
| timestamp_tmp | | component | str
| | | | level | str
| | | | category | str
| | | | action | str
| | | | description | str
| | | | id | str
| | | | swap_size_used | int8
| | | | slash_size_used | int8
| | | | swap_memory_avail | int8
| | | | system_memory_avail | int8
| | | | cpu_raw_user | int4
| | | | cpu_raw_nice | int4
| | | | cpu_raw_system | int4
| | | | cpu_raw_idle | int4
| | | | mgmt_inf_status | str
| | | | data_inf_status | str
| | | | uptime | int8
| | | | message | str
| | rawMessage | | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
Anchor |
---|
| nac.aruba.os.events |
---|
| nac.aruba.os.events |
---|
| nac.aruba.os.eventsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | host | str
| vhost | | col1 | int8
| | | error_number | int8
| | | severity | str
| | | ap_cassification_rule | str
| | | process | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
Anchor |
---|
| nac.aruba.other.events |
---|
| nac.aruba.other.events |
---|
| nac.aruba.other.eventsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | host | str
| vhost | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
Anchor |
---|
| nac.aruba.sessions.common |
---|
| nac.aruba.sessions.common |
---|
| nac.aruba.sessions.commonField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| | vhost | | time | str
| | | | eventID | str
| | | | hostIP | ip4
| | | | type | str
| | | | id1 | str
| | | | id2 | str
| | | | id3 | str
| | | | Alerts | str
| | | | AlertsPresent | int4
| | | | AuditPostureToken | str
| | | | AuthType | str
| | | | ConnectionStatus | str
| | | | EnforcementProfiles | str
| | | | ErrorCode | str
| | | | HostMACAddress | str
| | | | LoginStatus | str
| | | | MonitorMode | str
| | | | NASIPAddress | str
| | | | NASPort | str
| | | | RequestId | str
| | | | RequestTimestamp | timestamp
| Code Block |
---|
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC")) |
| RequestTimestamp_tmp | | Roles | str
| | | | Service | str
| | | | SessionLogTimestamp | timestamp
| Code Block |
---|
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC")) |
| SessionLogTimestamp_tmp | | Source | str
| | | | SystemPostureToken | str
| | | | Username | str
| | | | unknown | str
| | | | hostchain | str
| | | | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Anchor |
---|
| nac.aruba.sessions.failed_authentications |
---|
| nac.aruba.sessions.failed_authentications |
---|
| nac.aruba.sessions.failed_authenticationsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| | vhost | | time | str
| | | | eventID | str
| | | | hostIP | ip4
| | | | type | str
| | | | id1 | str
| | | | id2 | str
| | | | id3 | str
| | | | Username | str
| | | | Services | str
| | | | Roles | str
| | | | AuthSource | str
| | | | AuthMethod | str
| | | | SystemPostureToken | str
| | | | EnforcementProfiles | str
| | | | HostMACAddress | str
| | | | NASIPAddress | str
| | | | ErrorCode | str
| | | | Alerts | str
| | | | RequestTimestamp | timestamp
| Code Block |
---|
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC")) |
| RequestTimestamp_tmp | | unknown | str
| | | | hostchain | str
| | | | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| | vhost | | time | str
| | | | eventID | str
| | | | hostIP | ip4
| | | | type | str
| | | | id1 | str
| | | | id2 | str
| | | | id3 | str
| | | | AcctAuthentic | str
| | | | AcctCalledStationId | str
| | | | AcctDelayTime | str
| | | | AcctStatusType | str
| | | | AuthMethod | str
| | | | AuthSource | str
| | | | SessionLogTimestamp | timestamp
| Code Block |
---|
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC")) |
| SessionLogTimestamp_tmp | | AcctTimestamp | timestamp
| Code Block |
---|
parsedate(AcctTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC")) |
| AcctTimestamp_tmp | | AcctSessionId | str
| | | | AcctFramedIPAddress | ip4
| | | | AcctCallingStationId | str
| | | | AcctNASPortType | str
| | | | AcctNASPort | str
| | | | AcctNASIPAddress | ip4
| | | | AcctUsername | str
| | | | AcctInputOctets | str
| | | | AcctTerminationCause | str
| | | | unknown | str
| | | | hostchain | str
| | | | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Anchor |
---|
| nac.aruba.sessions |
---|
| nac.aruba.sessions |
---|
| nac.aruba.sessionsField | Type | Extra fields |
---|
eventdate | timestamp
| | host | str
| | subtype | str
| | time | str
| | eventID | str
| | hostIP | ip4
| | type | str
| | id1 | str
| | id2 | str
| | id3 | str
| | Alerts | str
| | AlertsPresent | int4
| | AuditPostureToken | str
| | AuthType | str
| | ConnectionStatus | str
| | EnforcementProfiles | str
| | ErrorCode | str
| | HostMACAddress | str
| | LoginStatus | str
| | MonitorMode | str
| | NASIPAddress | str
| | NASPort | str
| | RequestId | str
| | RequestTimestamp | timestamp
| | Roles | str
| | Service | str
| | SessionLogTimestamp | timestamp
| | Source | str
| | SystemPostureToken | str
| | Username | str
| | AcctAuthentic | str
| | AcctCalledStationId | str
| | AcctDelayTime | str
| | AcctStatusType | str
| | AuthMethod | str
| | AuthSource | str
| | AcctTimestamp | timestamp
| | AcctSessionId | str
| | AcctFramedIPAddress | ip4
| | AcctCallingStationId | str
| | AcctNASPortType | str
| | AcctNASPort | str
| | AcctNASIPAddress | ip4
| | AcctUsername | str
| | AcctInputOctets | str
| | AcctTerminationCause | str
| | unknown | str
| | rawMessage | str
| | hostchain | str
| ✓ | tag | str
| ✓ |
Anchor |
---|
| nac.aruba.wifi.event |
---|
| nac.aruba.wifi.event |
---|
| nac.aruba.wifi.eventField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | host | str
| vhost | | hostname | str
| | | error_location | str
| | | error_id | ip4
| | | error_number | str
| | | severity | str
| | | process | str
| | | process_ip | str
| | | username | str
| | | user | str
| | | usermac | str
| | | server_name | str
| | | server_group | str
| | | server_ip | str
| | | bssid | timestamp
| SessionLogTimestamp_tmp | | apname | timestamp
| AcctTimestamp_tmp | | authmethod | str
| | | message | ip4
| | | hostchain | str
| | | tag | str
| | ✓ | rawMessage | str
| | ✓ |
|
How is the data sent to Devo?
...
Rule 1: ClearPass Endpoint Profile eventsSource Port → 13010 Source Message → CPPM_Endpoint_Profile Target Tag → nac.aruba.cppm.endpoint Select the Stop processing and Sent without syslog tag checkboxes.
|
Rule 2: ClearPass System Event eventsSource Port → 13010 Source Message → CPPM_System_Event Target Tag → nac.aruba.cppm.system Select the Stop processing and Sent without syslog tag checkboxes.
|
Rule 3: ClearPass System Stat eventsSource Port → 13010 Source Message → CPPM_System_Stat Target Tag → nac.aruba.cppm.system_stat Select the Stop processing and Sent without syslog tag checkboxes.
|
Rule 4: ClearPass Policy events |
Rule 5: Aruba OS events |
...