Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

Introduction

Tags that start with nac.aruba identify all log events generated by Aruba Networks ClearPass and Aruba OS. 

For information about ClearPass, see the vendor website.

...

Valid tags and data tables

The full nac.aruba aruba tags have four levels. The first two are fixed as nac.aruba. The third level identifies the service type and must be one of cppm (for ClearPass Policy Manager events) or os (for Aruba OS events). The fourth level of the tag identifies the event type.

...

03:51:52,778 10.101.3.40 CPPM_Alert 2378010 1 0 session_id=...

...

Technology

...

Brand

...

Type

...

Subtype 1

...

Subtype 2

...

nac

...

aruba

...

  • cppm

...

  • endpoint

  • system

  • system_stat

  • policy

...

  • v2

...

  • os

...

  • events

...

-

These are the valid tags and the types of events that correspond to each:

Tag/table name

Event types*

nac.aruba.cppm.endpoint

CPPM_Endpoint_Profile

nac.aruba.cppm.system

CPPM_System_Event

nac.aruba.cppm.system_stat

CPPM_System_Stat

nac.aruba.cppm.policy

CPPM_Alert
CPPM_Audit_Record
CPPM_Dashboard_Summary
CPPM_Policy_Server_Session
CPPM_Post_Auth_Monit_Config
CPPM_Proc_Stats
CPPM_RADCOA_Session_Log
CPPM_RADIUS_Accounting
CPPM_RADIUS_Accounting_Detail
CPPM_RADIUS_Session
CPPM_Session_Detail
CPPM_TACACS_Accounting_Detail
CPPM_TACACS_Accouting_Record
CPPM_TACACS_Session

nac.aruba.os.events

Aruba OS log events

 * As the names of the event types can be customized for each installation, the event type names in this table are meant for guidance only. 

When the events are delivered to Devo, they will be accessible in the Finder in tables of the same names.These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Aruba ClearPass

nac.aruba.audit.all

nac.aruba.audit.all

nac.aruba.clearpass.audit

nac.aruba.clearpass.audit

nac.aruba.clearpass.audit_records

nac.aruba.clearpass.audit_records

nac.aruba.clearpass.configuration_audit

nac.aruba.clearpass.configuration_audit

nac.aruba.clearpass.insight

nac.aruba.clearpass.insight

nac.aruba.clearpass.session

nac.aruba.clearpass.session

nac.aruba.clearpass.system

nac.aruba.clearpass.system

nac.aruba.cppm

nac.aruba.cppm

nac.aruba.cppm.endpoint

nac.aruba.cppm.endpoint

nac.aruba.cppm.policy

nac.aruba.cppm.policy

nac.aruba.cppm.system

nac.aruba.cppm.system

nac.aruba.cppm.system_stat

nac.aruba.cppm.system_stat

nac.aruba.os.events

nac.aruba.os.events

nac.aruba.other.events

nac.aruba.other.events

nac.aruba.sessions.common

nac.aruba.sessions.common

nac.aruba.sessions.failed_authentications

nac.aruba.sessions.failed_authentications

nac.aruba.sessions.radius

nac.aruba.sessions.radius

nac.aruba.sessions

nac.aruba.sessions

nac.aruba.wifi.event

nac.aruba.wifi.event

For more information, read more about Devo tags.

Tag structure

These are the fields displayed in these tables:

Rw ui tabs macro
Rw tab
title1-4

Anchor
nac.aruba.audit.all
nac.aruba.audit.all
nac.aruba.audit.all

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

vhost

hostIP

ip4

 

Timestamp

str

EntityName

str

Category

str

 

Action

str

 

User

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Anchor
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit
nac.aruba.clearpass.audit

Field

Type

Extra fields

Source field name

eventdate

timestamp

host

str

vhost

procid

str

msgid

str

tzKnown

str

swVersion

str

software

str

ip

str

enterpriseId

str

eventId

str

Action

str

Category

str

User

str

EntityName

str

CppmNode

str

Timestamp

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records
nac.aruba.clearpass.audit_records

Field

Type

Extra fields

eventdate

timestamp

hostname

str

header__version

str

header__device_vendor

str

header__device_product

str

header__device_version

str

header__device_event_class_id

str

header__name

str

header__severity

str

extension__dvc

ip4

extension__fname

str

extension__rt

timestamp

extension__act

str

extension__duser

str

extension__cat

str

prefix

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit
nac.aruba.clearpass.configuration_audit

Field

Type

Extra fields

eventdate

timestamp

hostname

str

header__version

str

header__device_vendor

str

header__device_product

str

header__device_version

str

header__device_event_class_id

str

header__name

str

header__severity

str

extension__dvc

ip4

extension__fname

str

extension__rt

timestamp

extension__act

str

extension__duser

str

extension__cat

str

prefix

str

hostchain

str

tag

str

rawMessage

str

Rw tab
title5-9

Anchor
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight
nac.aruba.clearpass.insight

Field

Type

Source field name

Extra fields

eventdate

eventdate

 

host

host

 vhost

procid

procid

msgid

msgid

tzKnown

tzKnown

 

swVersion

swVersion

 

software

software

 

ip

ip

 

enterpriseId

enterpriseId

 

eventId

eventId

 

Username

Username

 

UpdatedAt

UpdatedAt

 

MACAddress

MACAddress

 

IPAddress

IPAddress

 

Status

Status

Conflict

Conflict

 

CppmNode

CppmNode

 

AddedAt

AddedAt

 

hostchain

hostchain

 

tag

tag

 

rawMessage

rawMessage

 

Anchor
nac.aruba.clearpass.session
nac.aruba.clearpass.session
nac.aruba.clearpass.session

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

 vhost

procid

str

 

msgid

str

 

tzKnown

str

 

swVersion

str

 

software

str

 

ip

str

 

enterpriseId

str

 

AuthType

str

 

NASName

str

 

Service

str

 

NASIPAddress

str

 

Source

str

 

AuthSource

str

EnforcementProfiles

str

ConnectionStatus

str

MonitorMode

str

LoginStatus

str

Roles

str

CppmNode

str

SystemPostureToken

str

RequestId

str

RequestTimestamp

str

AuthMethod

str

SessionLogTimestamp

str

Username

str

AlertsPresent

str

ErrorCode

str

AuditPostureToken

str

NadName

str

AuthProtocol

str

CppmErrorCodeDetails

str

CppmAlerts

str

EndpointDeviceName

str

AuthLoginStatus

str

AuthNASIPAddress

str

EndpointHostname

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.clearpass.system
nac.aruba.clearpass.system
nac.aruba.clearpass.system

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

 vhost

procid

str

 

msgid

str

 

tzKnown

str

 

swVersion

str

 

software

str

 

ip

str

 

enterpriseId

str

 

eventId

str

 

Action

str

 

Category

str

 

Description

str

 

user

str

 

role

str

authentication_source

str

session_id

str

client_ip

ip4

session_inactive_expiry_time

str

Level

str

Component

str

CppmNode

str

Timestamp

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.cppm
nac.aruba.cppm
nac.aruba.cppm

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

subtype

str

vsubtype

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

mac_address

str

id

str

nas_ip

ip4

message

str

rawSource

hostchain

str

tag

str

rawMessage

str

rawSource

Rw tab
title10-13

Anchor
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint
nac.aruba.cppm.endpoint

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

subtype

str

vsubtype

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

mac_address

str

id

str

nas_ip

ip4

message

str

rawSource

hostchain

str

tag

str

rawMessage

str

rawSource

Anchor
nac.aruba.cppm.policy
nac.aruba.cppm.policy
nac.aruba.cppm.policy

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

id

str

session_id

str

attr_name

str

attr_value

str

flags

str

user_name

str

nas_ip

ip4

port

str

remote_address

str

priv_level

int4

authen_type

str

authen_method

str

authen_service

str

service_name

str

auth_method

str

auth_source

str

end_host_id

str

request_status

str

error_code

int4

mac_address

str

nas_port

int4

request_id

str

action_id

str

action_type

str

action_name

str

action_display_name

str

application_name

str

status_code

str

status_msg

str

req_source

str

alerts_present

int4

conn_status

str

login_status

str

write_timestamp

str

monitor_mode

str

roles

str

audit_apt

str

spt

str

enf_profiles

str

alert

str

action

str

category

str

entityname

str

user

str

auth_type

str

cpu_usage

int4

process_id

int4

res_mem_usage

int4

virt_mem_usage

int4

acct_authentic

str

acct_delay_time

str

acct_input_octets

str

acct_input_packets

str

acct_output_octets

str

acct_output_packets

str

acct_session_id

str

acct_session_time

str

acct_status_type

str

acct_terminate_cause

str

called_station_id

str

calling_station_id

str

ip_address

str

nas_port_type

str

seq_num

str

type

str

cn

str

dc

str

ou

str

authen_action

str

request_type

str

server_id

str

tacacs_profiles

str

tips_roles

str

user_session_id

str

message

str

rawMessage

hostchain

str

tag

str

Anchor
nac.aruba.cppm.system
nac.aruba.cppm.system
nac.aruba.cppm.system

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

rawSource

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ"))

timestamp_tmp

event_source

str

level

str

category

str

description

str

action

str

message

str

rawSource

hostchain

str

tag

str

Anchor
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat
nac.aruba.cppm.system_stat

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

rawMessage

str

host

str

vhost

cat_name

str

msg_id

str

total_seg

int4

seg_num

int4

timestamp

timestamp

Code Block
ifthenelse(timestamp_tmp[3] = " ", parsedate(substring(timestamp_tmp, 0, 24), "MMM DD YYYY HH:mm:ss.SSS", ifthenelse(length(split(timestamp_tmp, " ")) = 5, split(timestamp_tmp, " ", 4), "")), ifthenelse(timestamp_tmp -> ".", parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"), parsedate(timestamp_tmp, "YYYY-MM-DD HH:mm:ssZZ")))

timestamp_tmp

component

str

level

str

category

str

action

str

description

str

id

str

swap_size_used

int8

slash_size_used

int8

swap_memory_avail

int8

system_memory_avail

int8

cpu_raw_user

int4

cpu_raw_nice

int4

cpu_raw_system

int4

cpu_raw_idle

int4

mgmt_inf_status

str

data_inf_status

str

uptime

int8

message

str

rawMessage

hostchain

str

tag

str

Rw tab
title14-17

Anchor
nac.aruba.os.events
nac.aruba.os.events
nac.aruba.os.events

Field

Type

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

col1

int8

error_number

int8

severity

str

ap_cassification_rule

str

process

str

message

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.other.events
nac.aruba.other.events
nac.aruba.other.events

Field

Type

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

hostchain

str

tag

str

rawMessage

str

rawSource

Anchor
nac.aruba.sessions.common
nac.aruba.sessions.common
nac.aruba.sessions.common

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Alerts

str

AlertsPresent

int4

AuditPostureToken

str

AuthType

str

ConnectionStatus

str

EnforcementProfiles

str

ErrorCode

str

HostMACAddress

str

LoginStatus

str

MonitorMode

str

NASIPAddress

str

NASPort

str

RequestId

str

RequestTimestamp

timestamp

Code Block
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

RequestTimestamp_tmp

Roles

str

Service

str

SessionLogTimestamp

timestamp

Code Block
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC"))

SessionLogTimestamp_tmp

Source

str

SystemPostureToken

str

Username

str

unknown

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.failed_authentications

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Username

str

Services

str

Roles

str

AuthSource

str

AuthMethod

str

SystemPostureToken

str

EnforcementProfiles

str

HostMACAddress

str

NASIPAddress

str

ErrorCode

str

Alerts

str

RequestTimestamp

timestamp

Code Block
parsedate(RequestTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

RequestTimestamp_tmp

unknown

str

hostchain

str

tag

str

rawMessage

str

Rw tab
title18-20

Anchor
nac.aruba.sessions.radius
nac.aruba.sessions.radius
nac.aruba.sessions.radius

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

AcctAuthentic

str

AcctCalledStationId

str

AcctDelayTime

str

AcctStatusType

str

AuthMethod

str

AuthSource

str

SessionLogTimestamp

timestamp

Code Block
parsedate(SessionLogTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ssZZ", "UTC"))

SessionLogTimestamp_tmp

AcctTimestamp

timestamp

Code Block
parsedate(AcctTimestamp_tmp, dateformat("YYYY-MM-DD HH:mm:ss.SSSZZ", "UTC"))

AcctTimestamp_tmp

AcctSessionId

str

AcctFramedIPAddress

ip4

AcctCallingStationId

str

AcctNASPortType

str

AcctNASPort

str

AcctNASIPAddress

ip4

AcctUsername

str

AcctInputOctets

str

AcctTerminationCause

str

unknown

str

hostchain

str

tag

str

rawMessage

str

Anchor
nac.aruba.sessions
nac.aruba.sessions
nac.aruba.sessions

Field

Type

Extra fields

eventdate

timestamp

host

str

subtype

str

time

str

eventID

str

hostIP

ip4

type

str

id1

str

id2

str

id3

str

Alerts

str

AlertsPresent

int4

AuditPostureToken

str

AuthType

str

ConnectionStatus

str

EnforcementProfiles

str

ErrorCode

str

HostMACAddress

str

LoginStatus

str

MonitorMode

str

NASIPAddress

str

NASPort

str

RequestId

str

RequestTimestamp

timestamp

Roles

str

Service

str

SessionLogTimestamp

timestamp

Source

str

SystemPostureToken

str

Username

str

AcctAuthentic

str

AcctCalledStationId

str

AcctDelayTime

str

AcctStatusType

str

AuthMethod

str

AuthSource

str

AcctTimestamp

timestamp

AcctSessionId

str

AcctFramedIPAddress

ip4

AcctCallingStationId

str

AcctNASPortType

str

AcctNASPort

str

AcctNASIPAddress

ip4

AcctUsername

str

AcctInputOctets

str

AcctTerminationCause

str

unknown

str

rawMessage

str

hostchain

str

tag

str

Anchor
nac.aruba.wifi.event
nac.aruba.wifi.event
nac.aruba.wifi.event

Field

Type

Source field name

Extra fields

eventdate

timestamp

host

str

vhost

hostname

str

error_location

str

error_id

ip4

error_number

str

severity

str

process

str

process_ip

str

username

str

user

str

usermac

str

server_name

str

server_group

str

server_ip

str

bssid

timestamp

SessionLogTimestamp_tmp

apname

timestamp

AcctTimestamp_tmp

authmethod

str

message

ip4

hostchain

str

tag

str

rawMessage

str

How is the data sent to Devo?

...

In the examples below, we use port 13010 but you should use any port that you can dedicate to these events. We also use the event type names as listed earlier in this article. You should specify Source Message values that reflect the event type names used in your installation.

Rule 1: ClearPass Endpoint Profile events

  • Source Port → 13010

  • Source Message → CPPM_Endpoint_Profile

  • Target Tag → nac.aruba.cppm.endpoint

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 2:  ClearPass System Event events

  • Source Port → 13010

  • Source Message → CPPM_System_Event

  • Target Tag → nac.aruba.cppm.system

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 3: ClearPass System Stat events

  • Source Port → 13010

  • Source Message → CPPM_System_Stat

  • Target Tag → nac.aruba.cppm.system_stat

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 4: ClearPass Policy events

  • Source Port → 13010

  • Source Message → CPPM_

  • Target Tag → nac.aruba.cppm.policy

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 5: Aruba OS events

  • Source Port → 13010

  • Target Tag → nac.aruba.os.events

  • Select the Stop processing and Sent without syslog tag checkboxes.

Step 2: Set up ClearPass to forward events to the Devo relay

...