vpn.pulsesecure

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ] [ 4 How is data sent to Devo? ]

Introduction

The tags beginning with vpn.pulsesecure identify events generated by Pulse Secure products.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as vpn.pulsesecure. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Pulse Secure	`vpn.pulsesecure.sa`	`vpn.pulsesecure.sa`

For more information, read more about Devo tags.

Table structure

Field name	Type	Extra fields	Source field name

Field name	Type	Extra fields	Source field name
eventdate	`timestamp`
machine	`str`		vmachine
hostchain	`str`	✓
tag	`str`	✓
serverdate	`timestamp`
node	`str`
srcIp	`ip4`
ivs	`str`
user	`str`
realm	`str`
role	`str`
nasIPAddress	`ip4`
msg	`str`
rawMessage	`str`

How is data sent to Devo?

To configure the event sending, you'll set up a relay rule on your Devo Relay that applies the vpn.pulsesecure.sa tag before forwarding the events to Devo in syslog format. In the example below, we use port 514 but you should use any port that you can dedicate to these events.

Source Port → 514
Target Tag → vpn.pulsesecure.sa
Check the Stop processing and Sent without syslog tag checkboxes.

Pulse Secure products can export events in three different formats: Standard, WELF, or Custom. Devo is equipped with parsers for events in Standard and WELF formats. However, if you need to send your data in Custom format, you'll need a custom parser.

See below the event format for the Standard and WELF options: