nac.aruba
Tags that start with nac.aruba identify all log events generated by Aruba Networks ClearPass and Aruba OS.
For information about ClearPass, see the vendor website.
Tag structure
The full nac.aruba tags have four levels. The first two are fixed as nac.aruba. The third level identifies the service type and must be one of cppm (for ClearPass Policy Manager events) or os (for Aruba OS events). The fourth level of the tag identifies the event type.
The subtype v2 is added at the end of the tag when 2 space-separated fields come before cppm. For example:
03:51:52,778 10.101.3.40 CPPM_Alert 2378010 1 0 session_id=...
Technology | Brand | Type | Subtype 1 | Subtype 2 |
---|---|---|---|---|
nac | aruba |
|
|
|
|
| - |
These are the valid tags and the types of events that correspond to each:
Tag/table name | Event types* |
---|---|
nac.aruba.cppm.endpoint | CPPM_Endpoint_Profile |
nac.aruba.cppm.system | CPPM_System_Event |
nac.aruba.cppm.system_stat | CPPM_System_Stat |
nac.aruba.cppm.policy | CPPM_Alert CPPM_Audit_Record CPPM_Dashboard_Summary CPPM_Policy_Server_Session CPPM_Post_Auth_Monit_Config CPPM_Proc_Stats CPPM_RADCOA_Session_Log CPPM_RADIUS_Accounting CPPM_RADIUS_Accounting_Detail CPPM_RADIUS_Session CPPM_Session_Detail CPPM_TACACS_Accounting_Detail CPPM_TACACS_Accouting_Record CPPM_TACACS_Session |
nac.aruba.os.events | Aruba OS log events |
* As the names of the event types can be customized for each installation, the event type names in this table are meant for guidance only.
When the events are delivered to Devo, they will be accessible in the Finder in tables of the same names.
For more information, read more about Devo tags.
How is the data sent to Devo?
Step 1: Set up the Devo relay rules
You will need to set up five rules on the relay to correctly process and forward the events received from ClearPass. It is important that the rules follow the order indicated here, otherwise, events may not be correctly tagged.
In the examples below, we use port 13010 but you should use any port that you can dedicate to these events. We also use the event type names as listed earlier in this article. You should specify Source Message values that reflect the event type names used in your installation.
Rule 1: ClearPass Endpoint Profile events
| |
Rule 2: ClearPass System Event events
| |
Rule 3: ClearPass System Stat events
| |
Rule 4: ClearPass Policy events
| |
Rule 5: Aruba OS events
|
Step 2: Set up ClearPass to forward events to the Devo relay
Set up the Devo relay as a Syslog Target in ClearPass. Be sure to use TCP as the protocol and to specify the port on which you set up the relay rules.
Next, set up the Syslog Export Filter in ClearPass that will forward data to the Devo relay.
Log samples
The following are sample logs sent to each of the nac.aruba data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.