TCP Multiline Syslog log source parameters for Aruba ClearPass Policy Manager

The Aruba ClearPass Policy Manager DSM for IBM QRadar accepts Syslog events with log sources that are configured with the TCP Multiline Syslog protocol when the events are fragmented.

If QRadar does not automatically detect a log source, add the Aruba ClearPass Policy Manager log source on the QRadar Console by using the TCP Multiline Syslog protocol.

The following table describes the parameters that require specific values to collect TCP Multiline Syslog events from Aruba ClearPass Policy Manager:
Table 1. TCP Multiline Syslog log source parameters for the Aruba ClearPass Policy Manager DSM
Parameter Value
Log Source type Aruba ClearPass Policy Manager
Protocol Configuration TCP Multiline Syslog
Log Source Identifier

Type the IP address or host name to identify the log source.

To use a source name instead of a log source identifier, select Use Custom Source Name and enter the values for Source Name Regex and Source Name Formatting String.

Important: These parameters are available only if Show Advanced Options is set to Yes.

The log source identifier must be a unique value.

Listen Port

The port number that accepts incoming TCP Multiline Syslog events.

The default Listen Port is 12468.

To edit the port number, complete the following steps:
  1. Enter the new port number for the protocol.
  2. Click Save.
  3. Under the Admin tab, click Advanced > Deploy Full Configuration.
Important: When the admin clicks Deploy Full Configuration, the system restarts all services, which can create in a gap in the data collection until the deployment is completed.
Aggregation Method ID-Linked
Message ID Pattern

This parameter is available when you set Aggregation Method to ID-Linked.

This regular expression (regex) is used to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.

Important: In the case of message ID, enter this pattern:
messageId=(\d+)\d\d
Event Formatter No formatting
Show Advanced Options Yes
Use Custom Source Name Off
Use as a Gateway Log Source Off, unless you have multiple Aruba devices sending to the same port.
Flatten Multiline Events Into Single Line On
Retain Entire Lines During Event Aggregation Off
Time Limit 3
The following is a sample event message for Aruba ClearPass Policy Manager for TCP Multiline Syslog protocol:
<135>Jul 21 14:15:58 10.0.0.0 LEEF:1.0|Aruba Networks|ClearPass|6.10.2.182283|13002|
messageId=5496525-2-0	Common.Username=Test	Common.Service=WIRELESS_MAC-AUTH-SERVICE	
Common.Roles=IOT-DEVICE, [User Authenticated] 	RADIUS.Auth-Source=Local:localhost	
RADIUS.Auth-Method=MAC-AUTH	Common.System-Posture-Token=UNKNOWN	
Common.Enforcement-Profiles=WIRELESS_BAS-ROLE, RETURN-DEVICE-NAME	Common.Host-MAC-Address=test	
Common.NAS-IP-Address=10.0.0.1	Common.Error-Code=0	
Common.Alerts=Policy server: Failed to construct filter=SELECT\n      
CASE WHEN expire_time is null or expire_time > now() THEN 'false'\n      
ELSE 'true'\n      END AS is_expired,\n      
CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled\nFROM tips_guest_users\nWHERE 
((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')).
\nFailed to get value for attributes=[AccountEnabled, AccountExpired]	
Common.Request-Timestamp=2023-07-21 14:15:45-04	src=10.0.0.1
<135>Jul 21 14:15:58 10.0.0.0 LEEF:1.0|Aruba Networks|ClearPass|6.10.2.182283|13002|messageId=5496525-2-1   
devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z	cat=Session Logs

For a complete list of TCP Multiline Syslog protocol parameters and their values, see TCP Multiline Syslog protocol configuration options.