Aruba ClearPass Policy Manager sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Aruba ClearPass Policy Manager sample message when you use the syslog protocol
The following sample event message shows that a user with the username "user2" from IP address 10.1.1.5 is logged in to IP address 10.1.1.4 by using TACACS authentication.
<143>Sep 05 2018 09:10:03.062 CDT aruba.clearpass.test LEEF:1.0|Aruba Networks|ClearPass|6.6.10.106403|3006|messageId=00000001-1-0 Tacacs.Username=user2 Tacacs.Remote-Address=10.1.1.3 Tacacs.Request-Type=TACACS_AUTHORIZATION Tacacs.NAS-IP-Address=10.1.1.4 Tacacs.Service=Tacacs Service Name Tacacs.Auth-Source=Tacacs Auth Source Name Tacacs.Roles= [User Authenticated]|Role Name Tacacs.Enforcement-Profiles=Enforcement Profile Name Tacacs.Privilege-Level=1 src=10.1.1.5 devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z cat=Insight Logs
QRadar field name | Highlighted payload field name |
---|---|
Username | Tacacs.Username |
Destination IP Address | Tacacs.NAS-IP-Address |
Source IP Address | src |