Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Tags that start with nac.aruba identify all log events generated by Aruba Networks ClearPass and Aruba OS. 

For information about ClearPass, see the vendor website.

Tag structure

The full nac.aruba tags have four levels. The first two are fixed as nac.aruba. The third level identifies the service type and must be one of cppm (for ClearPass Policy Manager events) or os (for Aruba OS events). The fourth level of the tag identifies the event type.

The subtype v2 is added at the end of the tag when 2 space-separated fields come before cppm. For example:

03:51:52,778 10.101.3.40 CPPM_Alert 2378010 1 0 session_id=...

Technology

Brand

Type

Subtype 1

Subtype 2

nac

aruba

  • cppm

  • endpoint

  • system

  • system_stat

  • policy

  • v2

  • os

  • events

-

These are the valid tags and the types of events that correspond to each:

Tag/table name

Event types*

nac.aruba.cppm.endpoint

CPPM_Endpoint_Profile

nac.aruba.cppm.system

CPPM_System_Event

nac.aruba.cppm.system_stat

CPPM_System_Stat

nac.aruba.cppm.policy

CPPM_Alert
CPPM_Audit_Record
CPPM_Dashboard_Summary
CPPM_Policy_Server_Session
CPPM_Post_Auth_Monit_Config
CPPM_Proc_Stats
CPPM_RADCOA_Session_Log
CPPM_RADIUS_Accounting
CPPM_RADIUS_Accounting_Detail
CPPM_RADIUS_Session
CPPM_Session_Detail
CPPM_TACACS_Accounting_Detail
CPPM_TACACS_Accouting_Record
CPPM_TACACS_Session

nac.aruba.os.events

Aruba OS log events

 * As the names of the event types can be customized for each installation, the event type names in this table are meant for guidance only. 

When the events are delivered to Devo, they will be accessible in the Finder in tables of the same names.

For more information, read more about Devo tags.

How is the data sent to Devo?

Step 1: Set up the Devo relay rules

You will need to set up five rules on the relay to correctly process and forward the events received from ClearPass. It is important that the rules follow the order indicated here, otherwise, events may not be correctly tagged.

In the examples below, we use port 13010 but you should use any port that you can dedicate to these events. We also use the event type names as listed earlier in this article. You should specify Source Message values that reflect the event type names used in your installation.

Rule 1: ClearPass Endpoint Profile events

  • Source Port → 13010

  • Source Message → CPPM_Endpoint_Profile

  • Target Tag → nac.aruba.cppm.endpoint

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 2:  ClearPass System Event events

  • Source Port → 13010

  • Source Message → CPPM_System_Event

  • Target Tag → nac.aruba.cppm.system

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 3: ClearPass System Stat events

  • Source Port → 13010

  • Source Message → CPPM_System_Stat

  • Target Tag → nac.aruba.cppm.system_stat

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 4: ClearPass Policy events

  • Source Port → 13010

  • Source Message → CPPM_

  • Target Tag → nac.aruba.cppm.policy

  • Select the Stop processing and Sent without syslog tag checkboxes.

Rule 5: Aruba OS events

  • Source Port → 13010

  • Target Tag → nac.aruba.os.events

  • Select the Stop processing and Sent without syslog tag checkboxes.

Step 2: Set up ClearPass to forward events to the Devo relay

Set up the Devo relay as a Syslog Target in ClearPass. Be sure to use TCP as the protocol and to specify the port on which you set up the relay rules.

Next, set up the Syslog Export Filter in ClearPass that will forward data to the Devo relay. 


  • No labels