Collect Aruba ClearPass logs

Supported in:

This document explains how to collect Aruba ClearPass logs by using Bindplane. The parser attempts to cleanse and structure the incoming logs by removing extraneous fields and standardizing the message format. Then, depending on whether the log follows the CEF format or a different structure, the code uses a combination of grok patterns, key-value extractions, and conditional logic to map relevant fields to the unified data model (UDM), ultimately categorizing each event into a specific security event type.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to an Aruba ClearPass.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        udplog:
            # Replace the port and IP address as required
            listen_address: "0.0.0.0:514"
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the path to the credentials file you downloaded in Step 1
            creds: '/path/to/ingestion-authentication-file.json'
            # Replace with your actual customer ID from Step 2
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # Add optional ingestion labels for better organization
            ingestion_labels:
                log_type: CLEARPASS
                raw_log_field: body
    
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - udplog
                exporters:
                    - chronicle/chronicle_w_labels
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent
    
  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure Aruba ClearPass syslog server

  1. Sign in to the ClearPass Policy Manager console.
  2. Select Administration > External servers > Syslog targets.
  3. Click Add.
  4. In the Add syslog target window that appears, specify the following details:
    • Host address: enter the Bindplane IP address.
    • Server port: enter the Bindplane port number.
    • Protocol: select UDP (you can also select TCP, depending on your Bindplane configuration).
  5. Click Save.

Configure syslog export filters

  1. Go to Administration > External servers > Syslog export filters.
  2. Click Add.
  3. In the Add Syslog Filters window that appears, specify the following in the General tab:
    • Name: enter the syslog export filter name based on the table in Export template items.
    • Export template: select the appropriate export template based on the table in Export template items.
    • Export event format type: select Standard.
    • Syslog servers: select the Bindplane IP address.
  4. In the Export template list, when you select the Session or Insight export templates, the Filter and columns tab is enabled. Complete the following steps:
    • Click the Filter and columns tab.
    • Data filter: make sure the default value All requests is selected.
    • Column selection: select the predefined field group based on the table in Export template items.
    • Selected columns: verify that the automatically populated fields match the table in Export template items.
    • Click the Summary tab.
    • Click Save.
  5. In the Export template list, when you select the System events and Audit records export templates, the Filter and columns tab is not enabled. Proceed to the Summary tab and click Save.
  6. Repeat steps to add syslog export filters for all Session, Insight, Audit records and System events export templates based on the details from the table in Summary of export template items.

Export template items

The following table describes the items that you need to configure for each export template. The default fields that are listed in Selected Columns are supported for event parsing. Ensure all fields that are mentioned in the table under Selected columns (default) are present and in the same order. Make sure to create syslog export filter templates exactly as provided in table, including the case-sensitive name of the filter.

Syslog export filter name (case sensitive) Export template Predefined field groups Selected columns (default)
ACPPM_radauth Insight Logs Radius Authentications Auth.Username
Auth.Host-MAC-Address
Auth.Protocol
Auth.NAS-IP-Address
CppmNode.CPPM-Node
Auth.Login-Status
Auth.Service
Auth.Source
Auth.Roles
Auth.Enforcement-Profiles
ACPPM_radfailedauth Insight Logs Radius Failed Authentications Auth.Username
Auth.Host-MAC-Address
Auth.NAS-IP-Address
CppmNode.CPPM-Node
Auth.Service
CppmErrorCode.Error-Code-Details
CppmAlert.Alerts
ACPPM_radacct Insight Logs RADIUS Accounting Radius.Username
Radius.Calling-Station-Id
Radius.Framed-IP-Address
Radius.NAS-IP-Address
Radius.Start-Time
Radius.End-Time
Radius.Duration
Radius.Input-bytes
Radius.Output-bytes
ACPPM_tacauth Insight Logs tacacs Authentication tacacs.Username
tacacs.Remote-Address
tacacs.Request-Type
tacacs.NAS-IP-Address
tacacs.Service
tacacs.Auth-Source
tacacs.Roles
tacacs.Enforcement-Profiles
tacacs.Privilege-Level
ACPPM_tacfailedauth Insight Logs tacacs Failed Authentication tacacs.Username
tacacs.Remote-Address
tacacs.Request-Type
tacacs.NAS-IP-Address
tacacs.Service
CppmErrorCode.Error-Code-Details
CppmAlert.Alerts
ACPPM_webauth Insight Logs WEBAUTH Auth.Username
Auth.Host-MAC-Address
Auth.Host-IP-Address
Auth.Protocol
Auth.System-Posture-Token
CppmNode.CPPM-Node
Auth.Login-Status
Auth.Service
Auth.Source
Auth.Roles
Auth.Enforcement-Profiles
ACPPM_webfailedauth Insight Logs WEBAUTH Failed Authentications Auth.Username
Auth.Host-MAC-Address
Auth.Host-IP-Address
Auth.Protocol
Auth.System-Posture-Token
CppmNode.CPPM-Node
Auth.Login-Status
Auth.Service
CppmErrorCode.Error-Code-Details
CppmAlert.Alerts
ACPPM_appauth Insight Logs Application Authentication Auth.Username
Auth.Host-IP-Address
Auth.Protocol
CppmNode.CPPM-Node
Auth.Login-Status
Auth.Service
Auth.Source
Auth.Roles
Auth.Enforcement-Profiles
ACPPM_failedappauth Insight Logs Failed Application Authentication Auth.Username
Auth.Host-IP-Address
Auth.Protocol
CppmNode.CPPM-Node
Auth.Login-Status
Auth.Service
CppmErrorCode.Error-Code-Details
CppmAlert.Alerts
ACPPM_endpoints Insight Logs Endpoints Endpoint.MAC-Address
Endpoint.MAC-Vendor
Endpoint.IP-Address
Endpoint.Username
Endpoint.Device-Category
Endpoint.Device-Family
Endpoint.Device-Name
Endpoint.Conflict
Endpoint.Status
Endpoint.Added-At
Endpoint.Updated-At
ACPPM_cpguest Insight Logs Clearpass Guest Guest.Username
Guest.MAC-Address
Guest.Visitor-Name
Guest.Visitor-Company
Guest.Role-Name
Guest.Enabled
Guest.Created-At
Guest.Starts-At
Guest.Expires-At
ACPPM_onbenroll Insight Logs Onboard Enrollment OnboardEnrollment.Username
OnboardEnrollment.Device-Name
OnboardEnrollment.MAC-Address
OnboardEnrollment.Device-Product
OnboardEnrollment.Device-Version
OnboardEnrollment.Added-At
OnboardEnrollment.Updated-At
ACPPM_onbcert Insight Logs Onboard Certificate OnboardCert.Username
OnboardCert.Mac-Address
OnboardCert.Subject
OnboardCert.Issuer
OnboardCert.Valid-From
OnboardCert.Valid-To
OnboardCert.Revoked-At
ACPPM_onboscp Insight Logs Onboard OCSP OnboardOCSP.Remote-Address
OnboardOCSP.Response-Status-Name
OnboardOCSP.Timestamp
ACPPM_cpsysevent Insight Logs Clearpass System Events CppmNode.CPPM-Node
CppmSystemEvent.Source
CppmSystemEvent.Level
CppmSystemEvent.Category
CppmSystemEvent.Action
CppmSystemEvent.Timestamp
ACPPM_cpconfaudit Insight Logs Clearpass Configuration Audit CppmConfigAudit.Name
CppmConfigAudit.Action
CppmConfigAudit.Category
CppmConfigAudit.Updated-By
CppmConfigAudit.Updated-At
ACPPM_possummary Insight Logs Posture Summary Endpoint.MAC-Address
Endpoint.IP-Address
Endpoint.Hostname
Endpoint.Usermame
Endpoint.System-Agent-Type
Endpoint.System-Agent-Version
Endpoint.System-Client-OS
Endpoint.System-Posture-Token
Endpoint.Posture-Healthy
Endpoint.Posture-Unhealthy
ACPPM_posfwsummary Insight Logs Posture Firewall Summary Endpoint.MAC-Address
Endpoint.IP-Address
Endpoint.Hostname
Endpoint.Usermame
Endpoint.System-Agent-Type
Endpoint.System-Agent-Version
Endpoint.System-Client-OS
Endpoint.System-Posture-Token
Endpoint.Firewall-APT
Endpoint.Firewall-Input
Endpoint.Firewall-Output
ACPPM_poavsummary Insight Logs Posture Antivirus Summary Endpoint.MAC-Address
Endpoint.IP-Address
Endpoint.Hostname
Endpoint.Usermame
Endpoint.System-Agent-Type
Endpoint.System-Agent-Version
Endpoint.System-Client-OS
Endpoint.System-Posture-Token
Endpoint.Antivirus-APT
Endpoint.Antivirus-Input
Endpoint.Antivirus-Output
ACPPM_posassummary Insight Logs Posture Antispyware Summary Endpoint.MAC-Address
Endpoint.IP-Address
Endpoint.Hostname
Endpoint.Usermame
Endpoint.System-Agent-Type
Endpoint.System-Agent-Version
Endpoint.System-Client-OS
Endpoint.System-Posture-Token
Endpoint.Antispyware-APT
Endpoint.Antispyware-Input
Endpoint.Antispyware-Output
ACPPM_posdskencrpsummary Insight Logs Posture DiskEncryption Summary Endpoint.MAC-Address
Endpoint.IP-Address
Endpoint.Hostname
Endpoint.Usermame
Endpoint.System-Agent-Type
Endpoint.System-Agent-Version
Endpoint.System-Client-OS
Endpoint.System-Posture-Token
Endpoint.DiskEncryption-APT
Endpoint.DiskEncryption-Input
Endpoint.DiskEncryption-Output
ACPPM_loggedusers Session Logs Logged in Users Common.Username
Common.Service
Common.Roles
Common.Host-MAC-Address
RADIUS.Acct-Framed-IP-Address
Common.NAS-IP-Address
Common.Request-Timestamp
ACPPM_failedauth Session Logs Failed Authentications Common.Username
Common.Service
Common.Roles
RADIUS.Auth-Source
RADIUS.Auth-Method
Common.System-Posture-Token
Common.Enforcement-Profiles
Common.Host-MAC-Address
Common.NAS-IP-Address
Common.Error-Code
Common.Alerts
Common.Request-Timestamp
ACPPM_radacctsession Session Logs RADIUS Accounting RADIUS.Acct-Username
RADIUS.Acct-NAS-IP-Address
RADIUS.Acct-NAS-Port
RADIUS.Acct-NAS-Port-Type
RADIUS.Acct-Calling-Station-Id
RADIUS.Acct-Framed-IP-Address
RADIUS.Acct-Session-Id
RADIUS.Acct-Session-Time
RADIUS.Acct-Output-Pkts
RADIUS.Acct-Input-Pkts
RADIUS.Acct-Output-Octets
RADIUS.Acct-Input.Octets
RADIUS.Acct-Service-Name
RADIUS.Acct-Timestamp
ACPPM_tacadmin Session Logs tacacs+ Administration Common.Username
Common.Service
tacacs.Remote-Address
tacacs.Privilege.Level
Common.Request-Timestamp
ACPPM_tacacct Session Logs tacacs+ Accounting Common.Username
Common.Service
tacacs.Remote-Address
tacacs.Acct-Flags
tacacs.Privilege.Level
Common.Request-Timestamp
ACPPM_webauthsession Session Logs Web Authentication Common.Username
Common.Host-MAC-Address
WEBAUTH.Host-IP-Address
Common.Roles
Common.System-Posture-Token
Common.Enforcement-Profiles
Common.Request-Timestamp
ACPPM_guestacc Session Logs Guest Access Common.Username
RADIUS.Auth-Method
Common.Host-MAC-Address
Common.Roles
Common.System-Posture-Token
Common.Enforcement-Profiles
Common.Request-Timestamp
ACPPM_auditrecords Audit Records Not Applicable Not Applicable
ACPPM_systemevents System Events Not Applicable Not Applicable

UDM Mapping Table

Log field UDM mapping Logic
Action security_result.action Value is mapped from 'Action' field if its value is 'ALLOW' or 'BLOCK'
Auth.Enforcement-Profiles security_result.detection_fields.value Value is mapped from 'Auth.Enforcement-Profiles' field
Auth.Host-MAC-Address principal.mac Value is mapped from 'Auth.Host-MAC-Address' field after converting it to colon-separated MAC address format
Auth.Login-Status security_result.detection_fields.value Value is mapped from 'Auth.Login-Status' field
Auth.NAS-IP-Address target.ip Value is mapped from 'Auth.NAS-IP-Address' field
Auth.Protocol intermediary.application Value is mapped from 'Auth.Protocol' field
Auth.Service security_result.detection_fields.value Value is mapped from 'Auth.Service' field
Auth.Source principal.hostname Value is mapped from 'Auth.Source' field after removing any leading alphanumeric characters and spaces
Auth.Username principal.user.user_display_name Value is mapped from 'Auth.Username' field
Category metadata.event_type If value is 'Logged in', UDM field is set to 'USER_LOGIN'. If value is 'Logged out', UDM field is set to 'USER_LOGOUT'
Common.Alerts security_result.description Value is mapped from 'Common.Alerts' field
Common.Enforcement-Profiles security_result.detection_fields.value Value is mapped from 'Common.Enforcement-Profiles' field
Common.Login-Status security_result.detection_fields.value Value is mapped from 'Common.Login-Status' field
Common.NAS-IP-Address target.ip Value is mapped from 'Common.NAS-IP-Address' field
Common.Roles principal.user.group_identifiers Value is mapped from 'Common.Roles' field
Common.Service security_result.detection_fields.value Value is mapped from 'Common.Service' field
Common.Username principal.user.userid Value is mapped from 'Common.Username' field
Component intermediary.application Value is mapped from 'Component' field
Description metadata.description Value is mapped from 'Description' field after replacing newline characters with pipe symbol. If 'Description' field contains 'User', 'Address', and 'Role', then it is parsed as key-value pairs and mapped to corresponding UDM fields. If 'Description' field contains 'Unable connection with', then the target hostname is extracted and mapped to 'target.hostname'
EntityName principal.hostname Value is mapped from 'EntityName' field
InterIP target.ip Value is mapped from 'InterIP' field
Level security_result.severity If value is 'ERROR' or 'FATAL', UDM field is set to 'HIGH'. If value is 'WARN', UDM field is set to 'MEDIUM'. If value is 'INFO' or 'DEBUG', UDM field is set to 'LOW'
LogNumber metadata.product_log_id Value is mapped from 'LogNumber' field
RADIUS.Acct-Framed-IP-Address principal.ip Value is mapped from 'RADIUS.Acct-Framed-IP-Address' field
Timestamp metadata.event_timestamp Value is mapped from 'Timestamp' field after converting it to UTC and parsing it as a timestamp
User principal.user.userid Value is mapped from 'User' field
agent_ip principal.ip, principal.asset.ip Value is mapped from 'agent_ip' field
community additional.fields.value.string_value Value is mapped from 'community' field
descr metadata.description Value is mapped from 'descr' field
enterprise additional.fields.value.string_value Value is mapped from 'enterprise' field
eventDescription metadata.description Value is mapped from 'eventDescription' field after removing quotes
generic_num additional.fields.value.string_value Value is mapped from 'generic_num' field
prin_mac principal.mac Value is mapped from 'prin_mac' field after converting it to colon-separated MAC address format
prin_port principal.port Value is mapped from 'prin_port' field and converted to integer
specificTrap_name additional.fields.value.string_value Value is mapped from 'specificTrap_name' field
specificTrap_num additional.fields.value.string_value Value is mapped from 'specificTrap_num' field
uptime additional.fields.value.string_value Value is mapped from 'uptime' field
version metadata.product_version Value is mapped from 'version' field
extensions.auth.type Value is set to 'SSO'
metadata.event_type Value is determined based on various log fields and parser logic. See parser code for details
metadata.log_type Value is set to 'CLEARPASS'
metadata.product_name Value is set to 'ClearPass'
metadata.vendor_name Value is set to 'ArubaNetworks'

Changes

2024-09-12

Enhancement:

  • Added support to parse new format of SYSLOG and JSON logs.

2024-08-08

Enhancement:

  • Mapped Acct-NAS-IP-Address to principal.ip.
  • Mapped Acct-Username to principal.user.userid.
  • Mapped Acct-Calling-Station-Id to principal.user.product_object_id.

2024-05-05

Enhancement:

  • Handled unparsing SYSLOG format logs.
  • Mapped prin_port to principal.port.
  • Mapped agent_ip to principal.ip and principal.asset.ip.
  • Mapped descr and eventDescription to metadata.description.
  • Mapped version to metadata.product_version.
  • Mapped specificTrap_name, uptime, enterprise, generic_num, specificTrap_num, and community to additional.fields.

2024-01-11

Enhancement:

  • Mapped Common.NAS-IP-Address to target.ip.
  • Mapped Common.Service, Common.Enforcement-Profiles, and Common.Login-Status to security_result.detection_fields.

2022-08-18

Enhancement:

  • Handled the dropped logs which are in CEF format and unparsed logs to improve the parsing rate.
  • Mapped metadata.event_type to STATUS_UPDATE where principal.hostname/principal.ip is not null else mapped it as GENERIC_EVENT.

2022-07-08

Enhancement:

  • Modified mapping for _target_user_groupid from target.user.groupid to target.user.group_identifiers.
  • Modified mapping for Common.Roles from principal.user.groupid to principal.user.group_identifiers.

Need more help? Get answers from Community members and Google SecOps professionals.