TCP Multiline Syslog log source parameters for Aruba ClearPass Policy Manager
The Aruba ClearPass Policy Manager DSM for IBM QRadar accepts Syslog events with log sources that are configured with the TCP Multiline Syslog protocol when the events are fragmented.
If QRadar does not automatically detect a log source, add the Aruba ClearPass Policy Manager log source on the QRadar Console by using the TCP Multiline Syslog protocol.
Parameter | Value |
---|---|
Log Source type | Aruba ClearPass Policy Manager |
Protocol Configuration | TCP Multiline Syslog |
Log Source Identifier |
Type the IP address or host name to identify the log source. To use a source name instead of a log source identifier, select Use Custom Source Name and enter the values for Source Name Regex and Source Name Formatting String. Important: These parameters are available only if Show Advanced
Options is set to Yes.
The log source identifier must be a unique value. |
Listen Port |
The port number that accepts incoming TCP Multiline Syslog events. The default Listen Port is 12468. To edit the port number, complete the following steps:
Important: When the admin clicks Deploy Full Configuration,
the system restarts all services, which can create in a gap in the data collection until the
deployment is completed.
|
Aggregation Method | ID-Linked |
Message ID Pattern |
This parameter is available when you set Aggregation Method to ID-Linked. This regular expression (regex) is used to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message. Important: In the case of message ID, enter this pattern:
|
Event Formatter | No formatting |
Show Advanced Options | Yes |
Use Custom Source Name | Off |
Use as a Gateway Log Source | Off, unless you have multiple Aruba devices sending to the same port. |
Flatten Multiline Events Into Single Line | On |
Retain Entire Lines During Event Aggregation | Off |
Time Limit | 3 |
<135>Jul 21 14:15:58 10.0.0.0 LEEF:1.0|Aruba Networks|ClearPass|6.10.2.182283|13002|
messageId=5496525-2-0 Common.Username=Test Common.Service=WIRELESS_MAC-AUTH-SERVICE
Common.Roles=IOT-DEVICE, [User Authenticated] RADIUS.Auth-Source=Local:localhost
RADIUS.Auth-Method=MAC-AUTH Common.System-Posture-Token=UNKNOWN
Common.Enforcement-Profiles=WIRELESS_BAS-ROLE, RETURN-DEVICE-NAME Common.Host-MAC-Address=test
Common.NAS-IP-Address=10.0.0.1 Common.Error-Code=0
Common.Alerts=Policy server: Failed to construct filter=SELECT\n
CASE WHEN expire_time is null or expire_time > now() THEN 'false'\n
ELSE 'true'\n END AS is_expired,\n
CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled\nFROM tips_guest_users\nWHERE
((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')).
\nFailed to get value for attributes=[AccountEnabled, AccountExpired]
Common.Request-Timestamp=2023-07-21 14:15:45-04 src=10.0.0.1
<135>Jul 21 14:15:58 10.0.0.0 LEEF:1.0|Aruba Networks|ClearPass|6.10.2.182283|13002|messageId=5496525-2-1
devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z cat=Session Logs
For a complete list of TCP Multiline Syslog protocol parameters and their values, see TCP Multiline Syslog protocol configuration options.