IBM Support

QRadar: Events for Aruba ClearPass not being parsed due to configuration in Aruba

Troubleshooting


Problem

This article covers one of the most common reasons why Aruba ClearPass events are not parsed and instead they are sent to Stored or Unknown.

Cause

Before the Aruba configuration is checked, confirm the specifications are met, for example:
  • Supported ClearPass versions.
  • Event format.
  • Recorded event types.
  • If the latest DSM's and PROTOCOL are installed in the QRadar console.
Check the next link to get more information about the specifications:
According to documentation, this type of events needs a specific format for QRadar to be able to parse the events, only the default column selection in Aruba is supported:
"For Session and Insight® events, full event parsing works only for the default fields that are provided by Aruba ClearPass Policy Manager. Session and Insight events that are created by a user, and have different combinations of fields, might appear as Unknown Session Log, or Unknown Insight Log."

Resolving The Problem

What the documentation means when it says that parsing works only for the default fields, it refers to the preselect list of columns displayed when a Field Group is chosen in the Aruba configuration.
For example, if the purpose is to collect the events for TACACS Authentication, Follow the next steps:
1. Go to Administration, then to External Server, select Syslog Export Filters, click Add.
2. Select TACACS Authentication group from the Predefined Field Groups box.
This selection displays a preselected list of columns (fields) in the Select Columns box, these columns are the default fields:
image-20220309162436-1
If this preselect list is changed, Aruba sends events that QRadar does recognize and the events are sent to Stored or Unknown.
3. To confirm the supported Field Groups, columns (fields), and order, check the next link:
This link contains the information for the event types supported (Export template), the field groups (Predefined field groups), and the columns and its order (Default-selected columns):
image-20220309163800-2
 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"TS008649390","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
09 May 2022

UID

ibm16562355

Page Feedback