Page Comparison

Table of Contents

maxLevel	2
minLevel	2
type	flat

...

These are the types of events that correspond to each:

Tag/table name	Event types*
nac.aruba.cppm.endpoint	CPPM_Endpoint_Profile
nac.aruba.cppm.system	CPPM_System_Event
nac.aruba.cppm.system_stat	CPPM_System_Stat
nac.aruba.cppm.policy	CPPM_Alert CPPM_Audit_Record CPPM_Dashboard_Summary CPPM_Policy_Server_Session CPPM_Post_Auth_Monit_Config CPPM_Proc_Stats CPPM_RADCOA_Session_Log CPPM_RADIUS_Accounting CPPM_RADIUS_Accounting_Detail CPPM_RADIUS_Session CPPM_Session_Detail CPPM_TACACS_Accounting_Detail CPPM_TACACS_Accouting_Record CPPM_TACACS_Session
nac.aruba.os.events	Aruba OS log events

* As the names of the event types can be customized for each installation, the event type names in this table are meant for guidance only.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
Aruba ClearPass	`nac.aruba.audit.all`	`nac.aruba.audit.all`
	`nac.aruba.clearpass.audit`	`nac.aruba.clearpass.audit`
	`nac.aruba.clearpass.audit_records`	`nac.aruba.clearpass.audit_records`
	`nac.aruba.clearpass.configuration_audit`	`nac.aruba.clearpass.configuration_audit`
	`nac.aruba.clearpass.insight`	`nac.aruba.clearpass.insight`
	`nac.aruba.clearpass.session`	`nac.aruba.clearpass.session`
	`nac.aruba.clearpass.system`	`nac.aruba.clearpass.system`
	`nac.aruba.cppm`	`nac.aruba.cppm`
	`nac.aruba.cppm.endpoint`	`nac.aruba.cppm.endpoint`
	`nac.aruba.cppm.policy`	`nac.aruba.cppm.policy`
	`nac.aruba.cppm.system`	`nac.aruba.cppm.system`
	`nac.aruba.cppm.system_stat`	`nac.aruba.cppm.system_stat`
	`nac.aruba.os.events`	`nac.aruba.os.events`
	`nac.aruba.other.events`	`nac.aruba.other.events`
	`nac.aruba.sessions.common`	`nac.aruba.sessions.common`
	`nac.aruba.sessions.failed_authentications`	`nac.aruba.sessions.failed_authentications`
	`nac.aruba.sessions.radius`	`nac.aruba.sessions.radius`
	`nac.aruba.sessions`	`nac.aruba.sessions`
	`nac.aruba.wifi.event`	`nac.aruba.wifi.event`

For more information, read more about Devo tags.

...

Rw ui tabs macro

Rw tab

title	1-4

nac.aruba.audit.all
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.configuration_audit

Anchor
nac.aruba.audit.all
nac.aruba.audit.all
nac.aruba.audit.all

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	vhost
hostIP	`ip4`
Timestamp	`str`
EntityName	`str`
Category	`str`
Action	`str`
User	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

Anchor
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit

Field	Type	Extra fields	Source field name
eventdate	`timestamp`
host	`str`		vhost
procid	`str`
msgid	`str`
tzKnown	`str`
swVersion	`str`
software	`str`
ip	`str`
enterpriseId	`str`
eventId	`str`
Action	`str`
Category	`str`
User	`str`
EntityName	`str`
CppmNode	`str`
Timestamp	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Anchor
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
header__version	`str`
header__device_vendor	`str`
header__device_product	`str`
header__device_version	`str`
header__device_event_class_id	`str`
header__name	`str`
header__severity	`str`
extension__dvc	`ip4`
extension__fname	`str`
extension__rt	`timestamp`
extension__act	`str`
extension__duser	`str`
extension__cat	`str`
prefix	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Anchor
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
header__version	`str`
header__device_vendor	`str`
header__device_product	`str`
header__device_version	`str`
header__device_event_class_id	`str`
header__name	`str`
header__severity	`str`
extension__dvc	`ip4`
extension__fname	`str`
extension__rt	`timestamp`
extension__act	`str`
extension__duser	`str`
extension__cat	`str`
prefix	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	5-9

nac.aruba.clearpass.insight
nac.aruba.clearpass.session
nac.aruba.clearpass.system
nac.aruba.cppm

Anchor
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight

Field	Type	Source field name	Extra fields
eventdate	`eventdate`
host	`host`	vhost
procid	`procid`
msgid	`msgid`
tzKnown	`tzKnown`
swVersion	`swVersion`
software	`software`
ip	`ip`
enterpriseId	`enterpriseId`
eventId	`eventId`
Username	`Username`
UpdatedAt	`UpdatedAt`
MACAddress	`MACAddress`
IPAddress	`IPAddress`
Status	`Status`
Conflict	`Conflict`
CppmNode	`CppmNode`
AddedAt	`AddedAt`
hostchain	`hostchain`		✓
tag	`tag`		✓
rawMessage	`rawMessage`

Anchor
nac.aruba.clearpass.session
nac.aruba.clearpass.session
nac.aruba.clearpass.session

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	vhost
procid	`str`
msgid	`str`
tzKnown	`str`
swVersion	`str`
software	`str`
ip	`str`
enterpriseId	`str`
AuthType	`str`
NASName	`str`
Service	`str`
NASIPAddress	`str`
Source	`str`
AuthSource	`str`
EnforcementProfiles	`str`
ConnectionStatus	`str`
MonitorMode	`str`
LoginStatus	`str`
Roles	`str`
CppmNode	`str`
SystemPostureToken	`str`
RequestId	`str`
RequestTimestamp	`str`
AuthMethod	`str`
SessionLogTimestamp	`str`
Username	`str`
AlertsPresent	`str`
ErrorCode	`str`
AuditPostureToken	`str`
NadName	`str`
AuthProtocol	`str`
CppmErrorCodeDetails	`str`
CppmAlerts	`str`
EndpointDeviceName	`str`
AuthLoginStatus	`str`
AuthNASIPAddress	`str`
EndpointHostname	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

Anchor
nac.aruba.clearpass.system
nac.aruba.clearpass.system
nac.aruba.clearpass.system

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	vhost
procid	`str`
msgid	`str`
tzKnown	`str`
swVersion	`str`
software	`str`
ip	`str`
enterpriseId	`str`
eventId	`str`
Action	`str`
Category	`str`
Description	`str`
user	`str`
role	`str`
authentication_source	`str`
session_id	`str`
client_ip	`ip4`
session_inactive_expiry_time	`str`
Level	`str`
Component	`str`
CppmNode	`str`
Timestamp	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

Anchor
nac.aruba.cppm
nac.aruba.cppm
nac.aruba.cppm

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

subtype

str

vsubtype

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

mac_address

str

id

str

nas_ip

ip4

message

str

rawSource

hostchain

str

✓

tag

str

✓

rawMessage

str

rawSource

✓

Rw tab

title	10-13

nac.aruba.cppm.endpoint
nac.aruba.cppm.policy
nac.aruba.cppm.system
nac.aruba.cppm.system_stat

Anchor
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

subtype

str

vsubtype

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

mac_address

str

id

str

nas_ip

ip4

message

str

rawSource

hostchain

str

✓

tag

str

✓

rawMessage

str

rawSource

✓

Anchor
nac.aruba.cppm.policy
nac.aruba.cppm.policy
nac.aruba.cppm.policy

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

✓

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

id

str

session_id

str

attr_name

str

attr_value

str

flags

str

user_name

str

nas_ip

ip4

port

str

remote_address

str

priv_level

int4

authen_type

str

authen_method

str

authen_service

str

service_name

str

auth_method

str

auth_source

str

end_host_id

str

request_status

str

error_code

int4

mac_address

str

nas_port

int4

request_id

str

action_id

str

action_type

str

action_name

str

action_display_name

str

application_name

str

status_code

str

status_msg

str

req_source

str

alerts_present

int4

conn_status

str

login_status

str

write_timestamp

str

monitor_mode

str

roles

str

audit_apt

str

spt

str

enf_profiles

str

alert

str

action

str

category

str

entityname

str

user

str

auth_type

str

cpu_usage

int4

process_id

int4

res_mem_usage

int4

virt_mem_usage

int4

acct_authentic

str

acct_delay_time

str

acct_input_octets

str

acct_input_packets

str

acct_output_octets

str

acct_output_packets

str

acct_session_id

str

acct_session_time

str

acct_status_type

str

acct_terminate_cause

str

called_station_id

str

calling_station_id

str

ip_address

str

nas_port_type

str

seq_num

str

type

str

cn

str

dc

str

ou

str

authen_action

str

request_type

str

server_id

str

tacacs_profiles

str

tips_roles

str

user_session_id

str

message

str

rawMessage

hostchain

str

✓

tag

str

✓

Anchor
nac.aruba.cppm.system
nac.aruba.cppm.system
nac.aruba.cppm.system

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

rawSource

✓

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

event_source

str

level

str

category

str

description

str

action

str

message

str

rawSource

hostchain

str

✓

tag

str

✓

Anchor
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

✓

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block

ifthenelse(timestamp_tmp[3] = " ", parsedate(substring(timestamp_tmp, 0, 24), "MMM DD YYYY HH:mm:ss.SSS", ifthenelse(length(split(timestamp_tmp, " ")) = 5, split(timestamp_tmp, " ", 4), "")), ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")))

timestamp_tmp

component

str

level

str

category

str

action

str

description

str

id

str

swap_size_used

int8

slash_size_used

int8

swap_memory_avail

int8

system_memory_avail

int8

cpu_raw_user

int4

cpu_raw_nice

int4

cpu_raw_system

int4

cpu_raw_idle

int4

mgmt_inf_status

str

data_inf_status

str

uptime

int8

message

str

rawMessage

hostchain

str

✓

tag

str

✓

Rw tab

title	14-17

nac.aruba.os.events
nac.aruba.other.events
nac.aruba.sessions.common
nac.aruba.sessions.failed_authentications

Anchor
nac.aruba.os.events
nac.aruba.os.events
nac.aruba.os.events

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	vhost
col1	`int8`
error_number	`int8`
severity	`str`
ap_cassification_rule	`str`
process	`str`
message	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓

Anchor
nac.aruba.other.events
nac.aruba.other.events
nac.aruba.other.events

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	vhost
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`	rawSource	✓

Anchor
nac.aruba.sessions.common
nac.aruba.sessions.common
nac.aruba.sessions.common

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Alerts

str

AlertsPresent

int4

AuditPostureToken

str

AuthType

str

ConnectionStatus

str

EnforcementProfiles

str

ErrorCode

str

HostMACAddress

str

LoginStatus

str

MonitorMode

str

NASIPAddress

str

NASPort

str

RequestId

str

RequestTimestamp

timestamp

Code Block
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

RequestTimestamp_tmp

Roles

str

Service

str

SessionLogTimestamp

timestamp

Code Block
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC"))

SessionLogTimestamp_tmp

Source

str

SystemPostureToken

str

Username

str

unknown

str

hostchain

str

tag

str

✓

rawMessage

str

✓

Anchor
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Username

str

Services

str

Roles

str

AuthSource

str

AuthMethod

str

SystemPostureToken

str

EnforcementProfiles

str

HostMACAddress

str

NASIPAddress

str

ErrorCode

str

Alerts

str

RequestTimestamp

timestamp

Code Block
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

RequestTimestamp_tmp

unknown

str

hostchain

str

tag

str

✓

rawMessage

str

✓

Rw tab

title	18-20

nac.aruba.sessions.radius
nac.aruba.sessions
nac.aruba.wifi.event

✓

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

AcctAuthentic

str

AcctCalledStationId

str

AcctDelayTime

str

AcctStatusType

str

AuthMethod

str

AuthSource

str

SessionLogTimestamp

timestamp

Code Block
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

SessionLogTimestamp_tmp

AcctTimestamp

timestamp

Code Block
parsedate(AcctTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC"))

AcctTimestamp_tmp

AcctSessionId

str

AcctFramedIPAddress

ip4

AcctCallingStationId

str

AcctNASPortType

str

AcctNASPort

str

AcctNASIPAddress

ip4

AcctUsername

str

AcctInputOctets

str

AcctTerminationCause

str

unknown

str

hostchain

str

tag

str

✓

rawMessage

str

✓

Anchor
nac.aruba.sessions
nac.aruba.sessions
nac.aruba.sessions

Field	Type	Extra fields
eventdate	`timestamp`
host	`str`
subtype	`str`
time	`str`
eventID	`str`
hostIP	`ip4`
type	`str`
id1	`str`
id2	`str`
id3	`str`
Alerts	`str`
AlertsPresent	`int4`
AuditPostureToken	`str`
AuthType	`str`
ConnectionStatus	`str`
EnforcementProfiles	`str`
ErrorCode	`str`
HostMACAddress	`str`
LoginStatus	`str`
MonitorMode	`str`
NASIPAddress	`str`
NASPort	`str`
RequestId	`str`
RequestTimestamp	`timestamp`
Roles	`str`
Service	`str`
SessionLogTimestamp	`timestamp`
Source	`str`
SystemPostureToken	`str`
Username	`str`
AcctAuthentic	`str`
AcctCalledStationId	`str`
AcctDelayTime	`str`
AcctStatusType	`str`
AuthMethod	`str`
AuthSource	`str`
AcctTimestamp	`timestamp`
AcctSessionId	`str`
AcctFramedIPAddress	`ip4`
AcctCallingStationId	`str`
AcctNASPortType	`str`
AcctNASPort	`str`
AcctNASIPAddress	`ip4`
AcctUsername	`str`
AcctInputOctets	`str`
AcctTerminationCause	`str`
unknown	`str`
rawMessage	`str`
hostchain	`str`	✓
tag	`str`	✓

Anchor
nac.aruba.wifi.event
nac.aruba.wifi.event
nac.aruba.wifi.event

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	vhost
hostname	`str`
error_location	`str`
error_id	`ip4`
error_number	`str`
severity	`str`
process	`str`
process_ip	`str`
username	`str`
user	`str`
usermac	`str`
server_name	`str`
server_group	`str`
server_ip	`str`
bssid	`timestamp`	SessionLogTimestamp_tmp
apname	`timestamp`	AcctTimestamp_tmp
authmethod	`str`
message	`ip4`
hostchain	`str`
tag	`str`		✓
rawMessage	`str`		✓

...

In the examples below, we use port 13010 but you should use any port that you can dedicate to these events. We also use the event type names as listed earlier in this article. You should specify Source Message values that reflect the event type names used in your installation.

Rule 1: ClearPass Endpoint Profile events

Source Port → 13010
Source Message → CPPM_Endpoint_Profile
Target Tag → nac.aruba.cppm.endpoint
Select the Stop processing and Sent without syslog tag checkboxes.

Rule 2: ClearPass System Event events

Source Port → 13010
Source Message → CPPM_System_Event
Target Tag → nac.aruba.cppm.system
Select the Stop processing and Sent without syslog tag checkboxes.

Rule 3: ClearPass System Stat events

Source Port → 13010
Source Message → CPPM_System_Stat
Target Tag → nac.aruba.cppm.system_stat
Select the Stop processing and Sent without syslog tag checkboxes.

Rule 4: ClearPass Policy events

Source Port → 13010
Source Message → CPPM_
Target Tag → nac.aruba.cppm.policy
Select the Stop processing and Sent without syslog tag checkboxes.

Rule 5: Aruba OS events

Source Port → 13010
Target Tag → nac.aruba.os.events
Select the Stop processing and Sent without syslog tag checkboxes.

Step 2: Set up ClearPass to forward events to the Devo relay

...

Versions Compared

Old Version 6

New Version 7

Key

Anchor
nac.aruba.audit.all
nac.aruba.audit.all
nac.aruba.audit.all

Anchor
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit

Anchor
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records

Anchor
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit

Anchor
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight

Anchor
nac.aruba.clearpass.session
nac.aruba.clearpass.session
nac.aruba.clearpass.session

Anchor
nac.aruba.clearpass.system
nac.aruba.clearpass.system
nac.aruba.clearpass.system

Anchor
nac.aruba.cppm
nac.aruba.cppm
nac.aruba.cppm

Anchor
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint

Anchor
nac.aruba.cppm.policy
nac.aruba.cppm.policy
nac.aruba.cppm.policy

Anchor
nac.aruba.cppm.system
nac.aruba.cppm.system
nac.aruba.cppm.system

Anchor
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat

Anchor
nac.aruba.os.events
nac.aruba.os.events
nac.aruba.os.events

Anchor
nac.aruba.other.events
nac.aruba.other.events
nac.aruba.other.events

Anchor
nac.aruba.sessions.common
nac.aruba.sessions.common
nac.aruba.sessions.common

Anchor
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications

Anchor
nac.aruba.sessions
nac.aruba.sessions
nac.aruba.sessions

Anchor
nac.aruba.wifi.event
nac.aruba.wifi.event
nac.aruba.wifi.event

Rule 1: ClearPass Endpoint Profile events

Rule 2: ClearPass System Event events

Rule 3: ClearPass System Stat events

Rule 4: ClearPass Policy events

Rule 5: Aruba OS events

Step 2: Set up ClearPass to forward events to the Devo relay

Page Comparison

Versions Compared

Old Version 6

New Version 7

Key

Anchornac.aruba.audit.allnac.aruba.audit.allnac.aruba.audit.all

Anchornac.aruba.clearpass.auditnac.aruba.clearpass.auditnac.aruba.clearpass.audit

Anchornac.aruba.clearpass.audit_recordsnac.aruba.clearpass.audit_recordsnac.aruba.clearpass.audit_records

Anchornac.aruba.clearpass.configuration_auditnac.aruba.clearpass.configuration_auditnac.aruba.clearpass.configuration_audit

Anchornac.aruba.clearpass.insightnac.aruba.clearpass.insightnac.aruba.clearpass.insight

Anchornac.aruba.clearpass.sessionnac.aruba.clearpass.sessionnac.aruba.clearpass.session

Anchornac.aruba.clearpass.systemnac.aruba.clearpass.systemnac.aruba.clearpass.system

Anchornac.aruba.cppmnac.aruba.cppmnac.aruba.cppm

Anchornac.aruba.cppm.endpointnac.aruba.cppm.endpointnac.aruba.cppm.endpoint

Anchornac.aruba.cppm.policynac.aruba.cppm.policynac.aruba.cppm.policy

Anchornac.aruba.cppm.systemnac.aruba.cppm.systemnac.aruba.cppm.system

Anchornac.aruba.cppm.system_statnac.aruba.cppm.system_statnac.aruba.cppm.system_stat

Anchornac.aruba.os.eventsnac.aruba.os.eventsnac.aruba.os.events

Anchornac.aruba.other.eventsnac.aruba.other.eventsnac.aruba.other.events

Anchornac.aruba.sessions.commonnac.aruba.sessions.commonnac.aruba.sessions.common

Anchornac.aruba.sessions.failed_authenticationsnac.aruba.sessions.failed_authenticationsnac.aruba.sessions.failed_authentications

Anchornac.aruba.sessionsnac.aruba.sessionsnac.aruba.sessions

Anchornac.aruba.wifi.eventnac.aruba.wifi.eventnac.aruba.wifi.event

Rule 1: ClearPass Endpoint Profile events

Rule 2: ClearPass System Event events

Rule 3: ClearPass System Stat events

Rule 4: ClearPass Policy events

Rule 5: Aruba OS events

Step 2: Set up ClearPass to forward events to the Devo relay

Anchor
nac.aruba.audit.all
nac.aruba.audit.all
nac.aruba.audit.all

Anchor
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit

Anchor
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records

Anchor
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit

Anchor
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight

Anchor
nac.aruba.clearpass.session
nac.aruba.clearpass.session
nac.aruba.clearpass.session

Anchor
nac.aruba.clearpass.system
nac.aruba.clearpass.system
nac.aruba.clearpass.system

Anchor
nac.aruba.cppm
nac.aruba.cppm
nac.aruba.cppm

Anchor
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint

Anchor
nac.aruba.cppm.policy
nac.aruba.cppm.policy
nac.aruba.cppm.policy

Anchor
nac.aruba.cppm.system
nac.aruba.cppm.system
nac.aruba.cppm.system

Anchor
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat

Anchor
nac.aruba.os.events
nac.aruba.os.events
nac.aruba.os.events

Anchor
nac.aruba.other.events
nac.aruba.other.events
nac.aruba.other.events

Anchor
nac.aruba.sessions.common
nac.aruba.sessions.common
nac.aruba.sessions.common

Anchor
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications

Anchor
nac.aruba.sessions
nac.aruba.sessions
nac.aruba.sessions

Anchor
nac.aruba.wifi.event
nac.aruba.wifi.event
nac.aruba.wifi.event