| Table of Contents |
|---|
| maxLevel | 2 |
|---|
| minLevel | 2 |
|---|
| type | flat |
|---|
|
...
Tag/table name | Event types* |
|---|
nac.aruba.cppm.endpoint
| CPPM_Endpoint_Profile |
nac.aruba.cppm.system
| CPPM_System_Event |
nac.aruba.cppm.system_stat
| CPPM_System_Stat |
nac.aruba.cppm.policy
| CPPM_Alert
CPPM_Audit_Record
CPPM_Dashboard_Summary
CPPM_Policy_Server_Session
CPPM_Post_Auth_Monit_Config
CPPM_Proc_Stats
CPPM_RADCOA_Session_Log
CPPM_RADIUS_Accounting
CPPM_RADIUS_Accounting_Detail
CPPM_RADIUS_Session
CPPM_Session_Detail
CPPM_TACACS_Accounting_Detail
CPPM_TACACS_Accouting_Record
CPPM_TACACS_Session |
nac.aruba.os.events
| Aruba OS log events |
* As the names of the event types can be customized for each installation, the event type names in this table are meant for guidance only.
...
| Rw ui tabs macro |
|---|
| Anchor |
|---|
| nac.aruba.audit.all |
|---|
| nac.aruba.audit.all |
|---|
|
nac.aruba.audit.allField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | host | str
| vhost | | hostIP | ip4
| | | Timestamp | str
| | | EntityName | str
| | | Category | str
| | | Action | str
| | | User | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
| Anchor |
|---|
| nac.aruba.clearpass.audit |
|---|
| nac.aruba.clearpass.audit |
|---|
|
nac.aruba.clearpass.auditField | Type | Extra fields | Source field name |
|---|
eventdate | timestamp
| | | host | str
| | vhost | procid | str
| | | msgid | str
| | | tzKnown | str
| | | swVersion | str
| | | software | str
| | | ip | str
| | | enterpriseId | str
| | | eventId | str
| | | Action | str
| | | Category | str
| | | User | str
| | | EntityName | str
| | | CppmNode | str
| | | Timestamp | str
| | | hostchain | str
| ✓ | | tag | str
| ✓ | | rawMessage | str
| | |
| Anchor |
|---|
| nac.aruba.clearpass.audit_records |
|---|
| nac.aruba.clearpass.audit_records |
|---|
|
nac.aruba.clearpass.audit_recordsField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | header__version | str
| | header__device_vendor | str
| | header__device_product | str
| | header__device_version | str
| | header__device_event_class_id | str
| | header__name | str
| | header__severity | str
| | extension__dvc | ip4
| | extension__fname | str
| | extension__rt | timestamp
| | extension__act | str
| | extension__duser | str
| | extension__cat | str
| | prefix | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
| Anchor |
|---|
| nac.aruba.clearpass.configuration_audit |
|---|
| nac.aruba.clearpass.configuration_audit |
|---|
|
nac.aruba.clearpass.configuration_auditField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | header__version | str
| | header__device_vendor | str
| | header__device_product | str
| | header__device_version | str
| | header__device_event_class_id | str
| | header__name | str
| | header__severity | str
| | extension__dvc | ip4
| | extension__fname | str
| | extension__rt | timestamp
| | extension__act | str
| | extension__duser | str
| | extension__cat | str
| | prefix | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| nac.aruba.clearpass.insight |
|---|
| nac.aruba.clearpass.insight |
|---|
|
nac.aruba.clearpass.insightField | Type | Source field name | Extra fields |
|---|
eventdate | eventdate
| | | host | host
| vhost | | procid | procid
| | | msgid | msgid
| | | tzKnown | tzKnown
| | | swVersion | swVersion
| | | software | software
| | | ip | ip
| | | enterpriseId | enterpriseId
| | | eventId | eventId
| | | Username | Username
| | | UpdatedAt | UpdatedAt
| | | MACAddress | MACAddress
| | | IPAddress | IPAddress
| | | Status | Status
| | | Conflict | Conflict
| | | CppmNode | CppmNode
| | | AddedAt | AddedAt
| | | hostchain | hostchain
| | ✓ | tag | tag
| | ✓ | rawMessage | rawMessage
| | |
| Anchor |
|---|
| nac.aruba.clearpass.session |
|---|
| nac.aruba.clearpass.session |
|---|
|
nac.aruba.clearpass.sessionField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | host | str
| vhost | | procid | str
| | | msgid | str
| | | tzKnown | str
| | | swVersion | str
| | | software | str
| | | ip | str
| | | enterpriseId | str
| | | AuthType | str
| | | NASName | str
| | | Service | str
| | | NASIPAddress | str
| | | Source | str
| | | AuthSource | str
| | | EnforcementProfiles | str
| | | ConnectionStatus | str
| | | MonitorMode | str
| | | LoginStatus | str
| | | Roles | str
| | | CppmNode | str
| | | SystemPostureToken | str
| | | RequestId | str
| | | RequestTimestamp | str
| | | AuthMethod | str
| | | SessionLogTimestamp | str
| | | Username | str
| | | AlertsPresent | str
| | | ErrorCode | str
| | | AuditPostureToken | str
| | | NadName | str
| | | AuthProtocol | str
| | | CppmErrorCodeDetails | str
| | | CppmAlerts | str
| | | EndpointDeviceName | str
| | | AuthLoginStatus | str
| | | AuthNASIPAddress | str
| | | EndpointHostname | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
| Anchor |
|---|
| nac.aruba.clearpass.system |
|---|
| nac.aruba.clearpass.system |
|---|
|
nac.aruba.clearpass.systemField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | host | str
| vhost | | procid | str
| | | msgid | str
| | | tzKnown | str
| | | swVersion | str
| | | software | str
| | | ip | str
| | | enterpriseId | str
| | | eventId | str
| | | Action | str
| | | Category | str
| | | Description | str
| | | user | str
| | | role | str
| | | authentication_source | str
| | | session_id | str
| | | client_ip | ip4
| | | session_inactive_expiry_time | str
| | | Level | str
| | | Component | str
| | | CppmNode | str
| | | Timestamp | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
| Anchor |
|---|
| nac.aruba.cppm |
|---|
| nac.aruba.cppm |
|---|
|
nac.aruba.cppmField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | host | str
| | vhost | | subtype | str
| | vsubtype | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| | Code Block |
|---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | mac_address | str
| | | | id | str
| | | | nas_ip | ip4
| | | | message | str
| | rawSource | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
| Anchor |
|---|
| nac.aruba.cppm.endpoint |
|---|
| nac.aruba.cppm.endpoint |
|---|
|
nac.aruba.cppm.endpointField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | host | str
| | vhost | | subtype | str
| | vsubtype | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| | Code Block |
|---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | mac_address | str
| | | | id | str
| | | | nas_ip | ip4
| | | | message | str
| | rawSource | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
| Anchor |
|---|
| nac.aruba.cppm.policy |
|---|
| nac.aruba.cppm.policy |
|---|
|
nac.aruba.cppm.policyField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | rawMessage | str
| | | ✓ | host | str
| | vhost | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| | Code Block |
|---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | id | str
| | | | session_id | str
| | | | attr_name | str
| | | | attr_value | str
| | | | flags | str
| | | | user_name | str
| | | | nas_ip | ip4
| | | | port | str
| | | | remote_address | str
| | | | priv_level | int4
| | | | authen_type | str
| | | | authen_method | str
| | | | authen_service | str
| | | | service_name | str
| | | | auth_method | str
| | | | auth_source | str
| | | | end_host_id | str
| | | | request_status | str
| | | | error_code | int4
| | | | mac_address | str
| | | | nas_port | int4
| | | | request_id | str
| | | | action_id | str
| | | | action_type | str
| | | | action_name | str
| | | | action_display_name | str
| | | | application_name | str
| | | | status_code | str
| | | | status_msg | str
| | | | req_source | str
| | | | alerts_present | int4
| | | | conn_status | str
| | | | login_status | str
| | | | write_timestamp | str
| | | | monitor_mode | str
| | | | roles | str
| | | | audit_apt | str
| | | | spt | str
| | | | enf_profiles | str
| | | | alert | str
| | | | action | str
| | | | category | str
| | | | entityname | str
| | | | user | str
| | | | auth_type | str
| | | | cpu_usage | int4
| | | | process_id | int4
| | | | res_mem_usage | int4
| | | | virt_mem_usage | int4
| | | | acct_authentic | str
| | | | acct_delay_time | str
| | | | acct_input_octets | str
| | | | acct_input_packets | str
| | | | acct_output_octets | str
| | | | acct_output_packets | str
| | | | acct_session_id | str
| | | | acct_session_time | str
| | | | acct_status_type | str
| | | | acct_terminate_cause | str
| | | | called_station_id | str
| | | | calling_station_id | str
| | | | ip_address | str
| | | | nas_port_type | str
| | | | seq_num | str
| | | | type | str
| | | | cn | str
| | | | dc | str
| | | | ou | str
| | | | authen_action | str
| | | | request_type | str
| | | | server_id | str
| | | | tacacs_profiles | str
| | | | tips_roles | str
| | | | user_session_id | str
| | | | message | str
| | rawMessage | | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
| Anchor |
|---|
| nac.aruba.cppm.system |
|---|
| nac.aruba.cppm.system |
|---|
|
nac.aruba.cppm.systemField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | rawMessage | str
| | rawSource | ✓ | host | str
| | vhost | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| | Code Block |
|---|
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")) |
| timestamp_tmp | | event_source | str
| | | | level | str
| | | | category | str
| | | | description | str
| | | | action | str
| | | | message | str
| | rawSource | | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
| Anchor |
|---|
| nac.aruba.cppm.system_stat |
|---|
| nac.aruba.cppm.system_stat |
|---|
|
nac.aruba.cppm.system_statField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | rawMessage | str
| | | ✓ | host | str
| | vhost | | cat_name | str
| | | | msg_id | str
| | | | total_seg | int4
| | | | seg_num | int4
| | | | timestamp | timestamp
| | Code Block |
|---|
ifthenelse(timestamp_tmp[3] = " ", parsedate(substring(timestamp_tmp, 0, 24), "MMM DD YYYY HH:mm:ss.SSS", ifthenelse(length(split(timestamp_tmp, " ")) = 5, split(timestamp_tmp, " ", 4), "")), ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))) |
| timestamp_tmp | | component | str
| | | | level | str
| | | | category | str
| | | | action | str
| | | | description | str
| | | | id | str
| | | | swap_size_used | int8
| | | | slash_size_used | int8
| | | | swap_memory_avail | int8
| | | | system_memory_avail | int8
| | | | cpu_raw_user | int4
| | | | cpu_raw_nice | int4
| | | | cpu_raw_system | int4
| | | | cpu_raw_idle | int4
| | | | mgmt_inf_status | str
| | | | data_inf_status | str
| | | | uptime | int8
| | | | message | str
| | rawMessage | | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
| Anchor |
|---|
| nac.aruba.os.events |
|---|
| nac.aruba.os.events |
|---|
|
nac.aruba.os.eventsField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | host | str
| vhost | | col1 | int8
| | | error_number | int8
| | | severity | str
| | | ap_cassification_rule | str
| | | process | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
| Anchor |
|---|
| nac.aruba.other.events |
|---|
| nac.aruba.other.events |
|---|
|
nac.aruba.other.eventsField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | host | str
| vhost | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
| Anchor |
|---|
| nac.aruba.sessions.common |
|---|
| nac.aruba.sessions.common |
|---|
|
nac.aruba.sessions.commonField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | host | str
| | vhost | | time | str
| | | | eventID | str
| | | | hostIP | ip4
| | | | type | str
| | | | id1 | str
| | | | id2 | str
| | | | id3 | str
| | | | Alerts | str
| | | | AlertsPresent | int4
| | | | AuditPostureToken | str
| | | | AuthType | str
| | | | ConnectionStatus | str
| | | | EnforcementProfiles | str
| | | | ErrorCode | str
| | | | HostMACAddress | str
| | | | LoginStatus | str
| | | | MonitorMode | str
| | | | NASIPAddress | str
| | | | NASPort | str
| | | | RequestId | str
| | | | RequestTimestamp | timestamp
| | Code Block |
|---|
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC")) |
| RequestTimestamp_tmp | | Roles | str
| | | | Service | str
| | | | SessionLogTimestamp | timestamp
| | Code Block |
|---|
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC")) |
| SessionLogTimestamp_tmp | | Source | str
| | | | SystemPostureToken | str
| | | | Username | str
| | | | unknown | str
| | | | hostchain | str
| | | | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
| Anchor |
|---|
| nac.aruba.sessions.failed_authentications |
|---|
| nac.aruba.sessions.failed_authentications |
|---|
|
nac.aruba.sessions.failed_authenticationsField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | host | str
| | vhost | | time | str
| | | | eventID | str
| | | | hostIP | ip4
| | | | type | str
| | | | id1 | str
| | | | id2 | str
| | | | id3 | str
| | | | Username | str
| | | | Services | str
| | | | Roles | str
| | | | AuthSource | str
| | | | AuthMethod | str
| | | | SystemPostureToken | str
| | | | EnforcementProfiles | str
| | | | HostMACAddress | str
| | | | NASIPAddress | str
| | | | ErrorCode | str
| | | | Alerts | str
| | | | RequestTimestamp | timestamp
| | Code Block |
|---|
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC")) |
| RequestTimestamp_tmp | | unknown | str
| | | | hostchain | str
| | | | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
|
✓ |
✓| Anchor |
|---|
| nac.aruba.sessions.radius |
|---|
| nac.aruba.sessions.radius |
|---|
|
nac.aruba.sessions.radiusField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | |
host | str
| | vhost | |
time | str
| | | |
eventID | str
| | | |
hostIP | ip4
| | | |
type | str
| | | |
id1 | str
| | | |
id2 | str
| | | |
id3 | str
| | | |
AcctAuthentic | str
| | | |
AcctCalledStationId | str
| | | |
AcctDelayTime | str
| | | |
AcctStatusType | str
| | | |
AuthMethod | str
| | | |
AuthSource | str
| | | |
SessionLogTimestamp | timestamp
| | Code Block |
|---|
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC")) |
| SessionLogTimestamp_tmp | |
AcctTimestamp | timestamp
| | Code Block |
|---|
parsedate(AcctTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC")) |
| AcctTimestamp_tmp | |
AcctSessionId | str
| | | |
AcctFramedIPAddress | ip4
| | | |
AcctCallingStationId | str
| | | |
AcctNASPortType | str
| | | |
AcctNASPort | str
| | | |
AcctNASIPAddress | ip4
| | | |
AcctUsername | str
| | | |
AcctInputOctets | str
| | | |
AcctTerminationCause | str
| | | |
unknown | str
| | | |
hostchain | str
| | | |
tag | str
| | | ✓ |
rawMessage | str
| | | ✓ |
| Anchor |
|---|
| nac.aruba.sessions |
|---|
| nac.aruba.sessions |
|---|
|
nac.aruba.sessionsField | Type | Extra fields |
|---|
eventdate | timestamp
| |
host | str
| |
subtype | str
| |
time | str
| |
eventID | str
| |
hostIP | ip4
| |
type | str
| |
id1 | str
| |
id2 | str
| |
id3 | str
| |
Alerts | str
| |
AlertsPresent | int4
| |
AuditPostureToken | str
| |
AuthType | str
| |
ConnectionStatus | str
| |
EnforcementProfiles | str
| |
ErrorCode | str
| |
HostMACAddress | str
| |
LoginStatus | str
| |
MonitorMode | str
| |
NASIPAddress | str
| |
NASPort | str
| |
RequestId | str
| |
RequestTimestamp | timestamp
| |
Roles | str
| |
Service | str
| |
SessionLogTimestamp | timestamp
| |
Source | str
| |
SystemPostureToken | str
| |
Username | str
| |
AcctAuthentic | str
| |
AcctCalledStationId | str
| |
AcctDelayTime | str
| |
AcctStatusType | str
| |
AuthMethod | str
| |
AuthSource | str
| |
AcctTimestamp | timestamp
| |
AcctSessionId | str
| |
AcctFramedIPAddress | ip4
| |
AcctCallingStationId | str
| |
AcctNASPortType | str
| |
AcctNASPort | str
| |
AcctNASIPAddress | ip4
| |
AcctUsername | str
| |
AcctInputOctets | str
| |
AcctTerminationCause | str
| |
unknown | str
| |
rawMessage | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
| Anchor |
|---|
| nac.aruba.wifi.event |
|---|
| nac.aruba.wifi.event |
|---|
|
nac.aruba.wifi.eventField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | |
host | str
| vhost | |
hostname | str
| | |
error_location | str
| | |
error_id | ip4
| | |
error_number | str
| | |
severity | str
| | |
process | str
| | |
process_ip | str
| | |
username | str
| | |
user | str
| | |
usermac | str
| | |
server_name | str
| | |
server_group | str
| | |
server_ip | str
| | |
bssid | timestamp
| SessionLogTimestamp_tmp | |
apname | timestamp
| AcctTimestamp_tmp | |
authmethod | str
| | |
message | ip4
| | |
hostchain | str
| | |
tag | str
| | ✓ |
rawMessage | str
| | ✓ |
...
Rule 1: ClearPass Endpoint Profile eventsSource Port → 13010 Source Message → CPPM_Endpoint_Profile Target Tag → nac.aruba.cppm.endpoint Select the Stop processing and Sent without syslog tag checkboxes.
|
Rule 2: ClearPass System Event eventsSource Port → 13010 Source Message → CPPM_System_Event Target Tag → nac.aruba.cppm.system Select the Stop processing and Sent without syslog tag checkboxes.
|
Rule 3: ClearPass System Stat eventsSource Port → 13010 Source Message → CPPM_System_Stat Target Tag → nac.aruba.cppm.system_stat Select the Stop processing and Sent without syslog tag checkboxes.
|
Rule 4: ClearPass Policy events |
Rule 5: Aruba OS events |
...
