Tags that start with nac.aruba identify all log events generated by Aruba Networks ClearPass and Aruba OS.
For information about ClearPass, see the vendor website.
Tag structure
The full nac.aruba tags have four levels. The first two are fixed as nac.aruba. The third level identifies the service type and must be one of cppm (for ClearPass Policy Manager events) or os (for Aruba OS events). The fourth level of the tag identifies the event type.
The subtype v2 is added at the end of the tag when 2 space-separated fields come before cppm. For example:
03:51:52,778 10.101.3.40 CPPM_Alert 2378010 1 0 session_id=...
Technology | Brand | Type | Subtype 1 | Subtype 2 |
---|---|---|---|---|
nac | aruba |
|
|
|
|
| - |
These are the valid tags and the types of events that correspond to each:
Tag/table name | Event types* |
---|---|
nac.aruba.cppm.endpoint | CPPM_Endpoint_Profile |
nac.aruba.cppm.system | CPPM_System_Event |
nac.aruba.cppm.system_stat | CPPM_System_Stat |
nac.aruba.cppm.policy | CPPM_Alert |
nac.aruba.os.events | Aruba OS log events |
* As the names of the event types can be customized for each installation, the event type names in this table are meant for guidance only.
When the events are delivered to Devo, they will be accessible in the Finder in tables of the same names.
For more information, read more about Devo tags.
How is the data sent to Devo?
Step 1: Set up the Devo relay rules
You will need to set up five rules on the relay to correctly process and forward the events received from ClearPass. It is important that the rules follow the order indicated here, otherwise, events may not be correctly tagged.
In the examples below, we use port 13010 but you should use any port that you can dedicate to these events. We also use the event type names as listed earlier in this article. You should specify Source Message values that reflect the event type names used in your installation.
Rule 1: ClearPass Endpoint Profile events
| |
Rule 2: ClearPass System Event events
| |
Rule 3: ClearPass System Stat events
| |
Rule 4: ClearPass Policy events
| |
Rule 5: Aruba OS events
|
Step 2: Set up ClearPass to forward events to the Devo relay
Set up the Devo relay as a Syslog Target in ClearPass. Be sure to use TCP as the protocol and to specify the port on which you set up the relay rules.
Next, set up the Syslog Export Filter in ClearPass that will forward data to the Devo relay.