vpn.pulsesecure
Introduction
The tags beginning with vpn.pulsesecure
identify events generated by Pulse Secure products.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as vpn.pulsesecure
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Pulse Secure |
|
|
For more information, read more about Devo tags.
Table structure
Field name | Type | Extra fields | Source field name |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| Â | vmachine |
hostchain |
| ✓ |  |
tag |
| ✓ |  |
serverdate |
| Â | Â |
node |
| Â | Â |
srcIp |
| Â | Â |
ivs |
| Â | Â |
user |
| Â | Â |
realm |
| Â | Â |
role |
| Â | Â |
nasIPAddress |
| Â | Â |
msg |
| Â | Â |
rawMessage |
| Â | Â |
How is data sent to Devo?
To configure the event sending, you'll set up a relay rule on your Devo Relay that applies the vpn.pulsesecure.sa
 tag before forwarding the events to Devo in syslog format. In the example below, we use port 514 but you should use any port that you can dedicate to these events.
Source Port → 514
Target Tag →Â
vpn.pulsesecure.sa
Check the Stop processing and Sent without syslog tag checkboxes.
Pulse Secure products can export events in three different formats: Standard, WELF, or Custom. Devo is equipped with parsers for events in Standard and WELF formats. However, if you need to send your data in Custom format, you'll need a custom parser.
See below the event format for the Standard and WELF options:
Standard
WELF
Â