Configuring Aruba ClearPass Policy Manager to communicate with QRadar

To collect syslog events from Aruba ClearPass Policy Manager, you must add an external syslog server for the IBM QRadar host, then create one or more syslog filters for your syslog server.

About this task

For Session and Insight® events, full event parsing works only for the default fields that are provided by Aruba ClearPass Policy Manager. Session and Insight events that are created by a user, and have different combinations of fields, might appear as Unknown Session Log, or Unknown Insight Log.

The following table shows the field categories and their default fields that you can use:

Table 1. Default categories and fields for Session and Insight events provided by Aruba ClearPass Policy Manager
Export template Predefined field groups Default-selected columns
Insight Logs Radius Authentications

Auth.Username (mandatory)

Auth.Host-MAC-Address

Auth.Protocol = RADIUS (mandatory)

Auth.NAS-IP-Address

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

Auth.Roles

Auth.Enforcement-Profiles
Insight Logs Radius Failed Authentications

Auth.Username (mandatory)

Auth.Host-MAC-Address

Auth.NAS-IP-Address

CppmNode.CPPM-Node

Auth.Service

CppmErrorCode.Error-Code-Details (mandatory)

CppmAlert.Alerts
Insight Logs RADIUS Accounting

Radius.Username (mandatory)

Radius.Calling-Station-Id

Radius.Framed-IP-Address

Radius.NAS-IP-Address

Radius.Start-Time (mandatory)

Radius.End-Time

Radius.Duration (mandatory)

Radius.Input-bytes

Radius.Output-bytes
Insight Logs tacacs Authentication

tacacs.Username (mandatory)

tacacs.Remote-Address

tacacs.Request-Type

tacacs.NAS-IP-Address

tacacs.Service

tacacs.Auth-Source

tacacs.Roles

tacacs.Enforcement-Profiles

tacacs.Privilege-Level
Insight Logs TACAS authentication succeeded

tacacs.Username (mandatory)

TACACS.Error-code (mandatory)

Comma.Login-Status

Tacacs.Roles
Insight Logs tacacs Failed Authentication

tacacs.Username (mandatory)

tacacs.Remote-Address

tacacs.Request-Type

tacacs.NAS-IP-Address

tacacs.Service

CppmErrorCode.Error-Code-Details

TACACS.Error-code (mandatory)

CppmAlert.Alerts
Insight Logs Application Authentication

Auth.Username (mandatory)

Auth.Host-IP-Address (mandatory)

Auth.Protocol (mandatory)

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

Auth.Source

Auth.Roles

Auth.Enforcement-Profiles
Insight Logs Failed Application Authentication

Auth.Username (mandatory)

Auth.Host-IP-Address (mandatory)

Auth.Protocol (mandatory)

CppmNode.CPPM-Node

Auth.Login-Status

Auth.Service

CppmErrorCode.Error-Code-Details (mandatory)

CppmAlert.Alerts
Insight Logs Endpoints

Endpoint.MAC-Address (mandatory)

Endpoint.MAC-Vendor

Endpoint.IP-Address

Endpoint.Username

Endpoint.Device-Category

Endpoint.Device-Family

Endpoint.Device-Name

Endpoint.Conflict

Endpoint.Status

Endpoint.Added-At

Endpoint.Updated-At
Insight Logs Clearpass Guest

Guest.Username (mandatory)

Guest.MAC-Address

Guest.Visitor-Name

Guest.Visitor-Company

Guest.Role-Name

Guest.Enabled

Guest.Created-At

Guest.Starts-At

Guest.Expires-At
Insight Logs Onboard Enrollment

OnboardEnrollment.Username (mandatory)

OnboardEnrollment.Device-Name

OnboardEnrollment.MAC-Address

OnboardEnrollment.Device-Product

OnboardEnrollment.Device-Version

OnboardEnrollment.Added-At

OnboardEnrollment.Updated-At
Insight Logs Onboard Certificate

OnboardCert.Username (mandatory)

OnboardCert.Mac-Address

OnboardCert.Subject

OnboardCert.Issuer

OnboardCert.Valid-From

OnboardCert.Valid-To

OnboardCert.Revoked-At
Insight Logs Onboard OCSP

OnboardOCSP.Remote-Address (mandatory)

OnboardOCSP.Response-Status-Name

OnboardOCSP.Timestamp
Insight Logs Clearpass System Events

CppmNode.CPPM-Node

CppmSystemEvent.Source (mandatory)

CppmSystemEvent.Level

CppmSystemEvent.Category

CppmSystemEvent.Action

CppmSystemEvent.Timestamp
Insight Logs Clearpass Configuration Audit

CppmConfigAudit.Name (mandatory)

CppmConfigAudit.Action

CppmConfigAudit.Category

CppmConfigAudit.Updated-By

CppmConfigAudit.Updated-At
Insight Logs Posture Summary

Endpoint.MAC-Address

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token (mandatory)

Endpoint.Posture-Healthy

Endpoint.Posture-Unhealthy
Insight Logs Posture Firewall Summary

Endpoint.MAC-Address (mandatory)

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.Firewall-APT (mandatory)

Endpoint.Firewall-Input

Endpoint.Firewall-Output
Insight Logs Posture Antivirus Summary

Endpoint.MAC-Address (mandatory)

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.Antivirus-APT (mandatory)

Endpoint.Antivirus-Input

Endpoint. Antivirus-Output
Insight Logs Posture Antispyware Summary

Endpoint.MAC-Address (mandatory)

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.Antispyware-APT (mandatory)

Endpoint.Antispyware-Input

Endpoint.Antispyware-Output
Insight Logs Posture DiskEncryption Summary

Endpoint.MAC-Address (mandatory)

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.DiskEncryption-APT (mandatory)

Endpoint.DiskEncryption-Input

Endpoint.DiskEncryption-Output
Insight Logs Posture Windows Hotfixes Summary

Endpoint.MAC-Address (mandatory)

Endpoint.IP-Address

Endpoint.Hostname

Endpoint.Usermame

Endpoint.System-Agent-Type

Endpoint.System-Agent-Version

Endpoint.System-Client-OS

Endpoint.System-Posture-Token

Endpoint.HotFixes-APT (mandatory)

Endpoint.HotFixes-Input

Endpoint.HotFixes-Output
Session Logs Logged in Users

Common.Username (mandatory)

Common.Service (mandatory)

Common.Roles

Common.Host-MAC-Address (mandatory)

RADIUS.Acct-Framed-IP-Address (mandatory)

Common.NAS-IP-Address

Common.Request-Timestamp
Session Logs Failed Authentications

Common.Username (mandatory)

Common.Service (mandatory)

Common.Roles

RADIUS.Auth-Source

RADIUS.Auth-Method

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Host-MAC-Address (mandatory)

Common.NAS-IP-Address

Common.Error-Code (mandatory)

Common.Alerts

Common.Request-Timestamp
Session Logs RADIUS Accounting

RADIUS.Acct-Username (mandatory)

RADIUS.Acct-NAS-IP-Address

RADIUS.Acct-NAS-Port

RADIUS.Acct-NAS-Port-Type

RADIUS.Acct-Calling-Station-Id

RADIUS.Acct-Framed-IP-Address

RADIUS.Acct-Session-Id (mandatory)

RADIUS.Acct-Session-Time

RADIUS.Acct-Output-Pkts

RADIUS.Acct-Input-Pkts

RADIUS.Acct-Output-Octets

RADIUS.Acct-Input.Octets

RADIUS.Acct-Service-Name

RADIUS.Acct-Timestamp (mandatory)
Session Logs tacacs+ Administration

Common.Username

Common.Service

tacacs.Remote-Address (mandatory)

tacacs.Privilege.Level (mandatory)

Common.Request-Timestamp
Session Logs tacacs+ Accounting

Common.Username

Common.Service

tacacs.Remote-Address (mandatory)

tacacs.Acct-Flags (mandatory)

tacacs.Privilege.Level (mandatory)

Common.Request-Timestamp
Session Logs Web Authentication

Common.Username

Common.Host-MAC-Address

WEBAUTH.Host-IP-Address (mandatory)

Common.Roles

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Request-Timestamp
Session Logs Guest Access

Common.Username (mandatory)

RADIUS.Auth-Method

Common.Host-MAC-Address

Common.Roles

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Request-Timestamp
Session Logs Guest Access Succeeded

Common.Username (mandatory)

Common.Error-Code = 0 (mandatory)

Common.Service

Common.Host-MAC-Address

Common.NAS-IP-Address

Common.Request-Timestamp

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Alerts
Session Logs Network Access

Common.Username (mandatory)

Common.Roles (mandatory)

Common.Service

Common.Host-MAC-Address

Common.Request-Timestamp

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Alerts
Session Logs Network Access Succeeded

Common.Username (mandatory)

Common.Roles (mandatory)

Common.Error-Code = 0 (mandatory)

Common.Service

Common.Host-MAC-Address

Common.NAS-IP-Address

Common.Request-Timestamp

Common.System-Posture-Token

Common.Enforcement-Profiles

Common.Alerts
Session Logs MAC Authentication Common.Service (Must contain the keyword "mac-authentication")

Common.Username

Common.Roles

Common.Host-MAC-Address

Common.NAS-IP-Address

Common.Request-Timestamp
Session Logs SSID Authentication Common.Service (Must contain "SSID" OR "authentication")

Common.Username

Common.Request-Timestamp

Common.Error-Code
Session Logs SSID Authentication Failed

Common.Service (Must contain "SSID" OR "authentication")

Common.Error-Code > 0 (mandatory)

Common.Username

Common.Request-Timestamp

Common.Error-Code

Procedure

  1. Log in to your Aruba ClearPass Policy Manager server.
  2. Start the Administration Console.
  3. Click External Servers > Syslog Targets.
  4. Click Add, and then configure the details for the QRadar host.
  5. On the Administration Console, click External Servers > Syslog Export Filters
  6. Click Add.
  7. Select LEEF for the Export Event Format Type, and then select the Syslog Server that you added.
  8. Click Save.