Collect Aruba ClearPass logs

This document explains how to collect Aruba ClearPass logs by using Bindplane. The parser attempts to cleanse and structure the incoming logs by removing extraneous fields and standardizing the message format. Then, depending on whether the log follows the CEF format or a different structure, the code uses a combination of grok patterns, key-value extractions, and conditional logic to map relevant fields to the unified data model (UDM), ultimately categorizing each event into a specific security event type.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to an Aruba ClearPass.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional installation resources

• For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   2. Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       udplog:
           # Replace the port and IP address as required
           listen_address: "0.0.0.0:514"
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the path to the credentials file you downloaded in Step 1
           creds: '/path/to/ingestion-authentication-file.json'
           # Replace with your actual customer ID from Step 2
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # Add optional ingestion labels for better organization
           ingestion_labels:
               log_type: CLEARPASS
               raw_log_field: body
   
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - udplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

  sudo systemctl restart bindplane-agent
  

• To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

  net stop BindPlaneAgent && net start BindPlaneAgent
  

Configure Aruba ClearPass syslog server

1. Sign in to the ClearPass Policy Manager console.
2. Select Administration > External servers > Syslog targets.
3. Click Add.
4. In the Add syslog target window that appears, specify the following details:
   • Host address: enter the Bindplane IP address.
   • Server port: enter the Bindplane port number.
   • Protocol: select UDP (you can also select TCP, depending on your Bindplane configuration).
5. Click Save.

Configure syslog export filters

1. Go to Administration > External servers > Syslog export filters.
2. Click Add.
3. In the Add Syslog Filters window that appears, specify the following in the General tab:
   • Name: enter the syslog export filter name based on the table in Export template items.
   • Export template: select the appropriate export template based on the table in Export template items.
   • Export event format type: select Standard.
   • Syslog servers: select the Bindplane IP address.
4. In the Export template list, when you select the Session or Insight export templates, the Filter and columns tab is enabled. Complete the following steps:
   • Click the Filter and columns tab.
   • Data filter: make sure the default value All requests is selected.
   • Column selection: select the predefined field group based on the table in Export template items.
   • Selected columns: verify that the automatically populated fields match the table in Export template items.
   • Click the Summary tab.
   • Click Save.
5. In the Export template list, when you select the System events and Audit records export templates, the Filter and columns tab is not enabled. Proceed to the Summary tab and click Save.
6. Repeat steps to add syslog export filters for all Session, Insight, Audit records and System events export templates based on the details from the table in Summary of export template items.

Export template items

The following table describes the items that you need to configure for each export template. The default fields that are listed in Selected Columns are supported for event parsing. Ensure all fields that are mentioned in the table under Selected columns (default) are present and in the same order. Make sure to create syslog export filter templates exactly as provided in table, including the case-sensitive name of the filter.

Syslog export filter name (case sensitive)	Export template	Predefined field groups	Selected columns (default)
ACPPM_radauth	Insight Logs	Radius Authentications	Auth.Username Auth.Host-MAC-Address Auth.Protocol Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles
ACPPM_radfailedauth	Insight Logs	Radius Failed Authentications	Auth.Username Auth.Host-MAC-Address Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts
ACPPM_radacct	Insight Logs	RADIUS Accounting	Radius.Username Radius.Calling-Station-Id Radius.Framed-IP-Address Radius.NAS-IP-Address Radius.Start-Time Radius.End-Time Radius.Duration Radius.Input-bytes Radius.Output-bytes
ACPPM_tacauth	Insight Logs	tacacs Authentication	tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service tacacs.Auth-Source tacacs.Roles tacacs.Enforcement-Profiles tacacs.Privilege-Level
ACPPM_tacfailedauth	Insight Logs	tacacs Failed Authentication	tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts
ACPPM_webauth	Insight Logs	WEBAUTH	Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles
ACPPM_webfailedauth	Insight Logs	WEBAUTH Failed Authentications	Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts
ACPPM_appauth	Insight Logs	Application Authentication	Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles
ACPPM_failedappauth	Insight Logs	Failed Application Authentication	Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts
ACPPM_endpoints	Insight Logs	Endpoints	Endpoint.MAC-Address Endpoint.MAC-Vendor Endpoint.IP-Address Endpoint.Username Endpoint.Device-Category Endpoint.Device-Family Endpoint.Device-Name Endpoint.Conflict Endpoint.Status Endpoint.Added-At Endpoint.Updated-At
ACPPM_cpguest	Insight Logs	Clearpass Guest	Guest.Username Guest.MAC-Address Guest.Visitor-Name Guest.Visitor-Company Guest.Role-Name Guest.Enabled Guest.Created-At Guest.Starts-At Guest.Expires-At
ACPPM_onbenroll	Insight Logs	Onboard Enrollment	OnboardEnrollment.Username OnboardEnrollment.Device-Name OnboardEnrollment.MAC-Address OnboardEnrollment.Device-Product OnboardEnrollment.Device-Version OnboardEnrollment.Added-At OnboardEnrollment.Updated-At
ACPPM_onbcert	Insight Logs	Onboard Certificate	OnboardCert.Username OnboardCert.Mac-Address OnboardCert.Subject OnboardCert.Issuer OnboardCert.Valid-From OnboardCert.Valid-To OnboardCert.Revoked-At
ACPPM_onboscp	Insight Logs	Onboard OCSP	OnboardOCSP.Remote-Address OnboardOCSP.Response-Status-Name OnboardOCSP.Timestamp
ACPPM_cpsysevent	Insight Logs	Clearpass System Events	CppmNode.CPPM-Node CppmSystemEvent.Source CppmSystemEvent.Level CppmSystemEvent.Category CppmSystemEvent.Action CppmSystemEvent.Timestamp
ACPPM_cpconfaudit	Insight Logs	Clearpass Configuration Audit	CppmConfigAudit.Name CppmConfigAudit.Action CppmConfigAudit.Category CppmConfigAudit.Updated-By CppmConfigAudit.Updated-At
ACPPM_possummary	Insight Logs	Posture Summary	Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Posture-Healthy Endpoint.Posture-Unhealthy
ACPPM_posfwsummary	Insight Logs	Posture Firewall Summary	Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Firewall-APT Endpoint.Firewall-Input Endpoint.Firewall-Output
ACPPM_poavsummary	Insight Logs	Posture Antivirus Summary	Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antivirus-APT Endpoint.Antivirus-Input Endpoint.Antivirus-Output
ACPPM_posassummary	Insight Logs	Posture Antispyware Summary	Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antispyware-APT Endpoint.Antispyware-Input Endpoint.Antispyware-Output
ACPPM_posdskencrpsummary	Insight Logs	Posture DiskEncryption Summary	Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.DiskEncryption-APT Endpoint.DiskEncryption-Input Endpoint.DiskEncryption-Output
ACPPM_loggedusers	Session Logs	Logged in Users	Common.Username Common.Service Common.Roles Common.Host-MAC-Address RADIUS.Acct-Framed-IP-Address Common.NAS-IP-Address Common.Request-Timestamp
ACPPM_failedauth	Session Logs	Failed Authentications	Common.Username Common.Service Common.Roles RADIUS.Auth-Source RADIUS.Auth-Method Common.System-Posture-Token Common.Enforcement-Profiles Common.Host-MAC-Address Common.NAS-IP-Address Common.Error-Code Common.Alerts Common.Request-Timestamp
ACPPM_radacctsession	Session Logs	RADIUS Accounting	RADIUS.Acct-Username RADIUS.Acct-NAS-IP-Address RADIUS.Acct-NAS-Port RADIUS.Acct-NAS-Port-Type RADIUS.Acct-Calling-Station-Id RADIUS.Acct-Framed-IP-Address RADIUS.Acct-Session-Id RADIUS.Acct-Session-Time RADIUS.Acct-Output-Pkts RADIUS.Acct-Input-Pkts RADIUS.Acct-Output-Octets RADIUS.Acct-Input.Octets RADIUS.Acct-Service-Name RADIUS.Acct-Timestamp
ACPPM_tacadmin	Session Logs	tacacs+ Administration	Common.Username Common.Service tacacs.Remote-Address tacacs.Privilege.Level Common.Request-Timestamp
ACPPM_tacacct	Session Logs	tacacs+ Accounting	Common.Username Common.Service tacacs.Remote-Address tacacs.Acct-Flags tacacs.Privilege.Level Common.Request-Timestamp
ACPPM_webauthsession	Session Logs	Web Authentication	Common.Username Common.Host-MAC-Address WEBAUTH.Host-IP-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp
ACPPM_guestacc	Session Logs	Guest Access	Common.Username RADIUS.Auth-Method Common.Host-MAC-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp
ACPPM_auditrecords	Audit Records	Not Applicable	Not Applicable
ACPPM_systemevents	System Events	Not Applicable	Not Applicable

UDM Mapping Table

Log field	UDM mapping	Logic
Action	security_result.action	Value is mapped from 'Action' field if its value is 'ALLOW' or 'BLOCK'
Auth.Enforcement-Profiles	security_result.detection_fields.value	Value is mapped from 'Auth.Enforcement-Profiles' field
Auth.Host-MAC-Address	principal.mac	Value is mapped from 'Auth.Host-MAC-Address' field after converting it to colon-separated MAC address format
Auth.Login-Status	security_result.detection_fields.value	Value is mapped from 'Auth.Login-Status' field
Auth.NAS-IP-Address	target.ip	Value is mapped from 'Auth.NAS-IP-Address' field
Auth.Protocol	intermediary.application	Value is mapped from 'Auth.Protocol' field
Auth.Service	security_result.detection_fields.value	Value is mapped from 'Auth.Service' field
Auth.Source	principal.hostname	Value is mapped from 'Auth.Source' field after removing any leading alphanumeric characters and spaces
Auth.Username	principal.user.user_display_name	Value is mapped from 'Auth.Username' field
Category	metadata.event_type	If value is 'Logged in', UDM field is set to 'USER_LOGIN'. If value is 'Logged out', UDM field is set to 'USER_LOGOUT'
Common.Alerts	security_result.description	Value is mapped from 'Common.Alerts' field
Common.Enforcement-Profiles	security_result.detection_fields.value	Value is mapped from 'Common.Enforcement-Profiles' field
Common.Login-Status	security_result.detection_fields.value	Value is mapped from 'Common.Login-Status' field
Common.NAS-IP-Address	target.ip	Value is mapped from 'Common.NAS-IP-Address' field
Common.Roles	principal.user.group_identifiers	Value is mapped from 'Common.Roles' field
Common.Service	security_result.detection_fields.value	Value is mapped from 'Common.Service' field
Common.Username	principal.user.userid	Value is mapped from 'Common.Username' field
Component	intermediary.application	Value is mapped from 'Component' field
Description	metadata.description	Value is mapped from 'Description' field after replacing newline characters with pipe symbol. If 'Description' field contains 'User', 'Address', and 'Role', then it is parsed as key-value pairs and mapped to corresponding UDM fields. If 'Description' field contains 'Unable connection with', then the target hostname is extracted and mapped to 'target.hostname'
EntityName	principal.hostname	Value is mapped from 'EntityName' field
InterIP	target.ip	Value is mapped from 'InterIP' field
Level	security_result.severity	If value is 'ERROR' or 'FATAL', UDM field is set to 'HIGH'. If value is 'WARN', UDM field is set to 'MEDIUM'. If value is 'INFO' or 'DEBUG', UDM field is set to 'LOW'
LogNumber	metadata.product_log_id	Value is mapped from 'LogNumber' field
RADIUS.Acct-Framed-IP-Address	principal.ip	Value is mapped from 'RADIUS.Acct-Framed-IP-Address' field
Timestamp	metadata.event_timestamp	Value is mapped from 'Timestamp' field after converting it to UTC and parsing it as a timestamp
User	principal.user.userid	Value is mapped from 'User' field
agent_ip	principal.ip, principal.asset.ip	Value is mapped from 'agent_ip' field
community	additional.fields.value.string_value	Value is mapped from 'community' field
descr	metadata.description	Value is mapped from 'descr' field
enterprise	additional.fields.value.string_value	Value is mapped from 'enterprise' field
eventDescription	metadata.description	Value is mapped from 'eventDescription' field after removing quotes
generic_num	additional.fields.value.string_value	Value is mapped from 'generic_num' field
prin_mac	principal.mac	Value is mapped from 'prin_mac' field after converting it to colon-separated MAC address format
prin_port	principal.port	Value is mapped from 'prin_port' field and converted to integer
specificTrap_name	additional.fields.value.string_value	Value is mapped from 'specificTrap_name' field
specificTrap_num	additional.fields.value.string_value	Value is mapped from 'specificTrap_num' field
uptime	additional.fields.value.string_value	Value is mapped from 'uptime' field
version	metadata.product_version	Value is mapped from 'version' field
	extensions.auth.type	Value is set to 'SSO'
	metadata.event_type	Value is determined based on various log fields and parser logic. See parser code for details
	metadata.log_type	Value is set to 'CLEARPASS'
	metadata.product_name	Value is set to 'ClearPass'
	metadata.vendor_name	Value is set to 'ArubaNetworks'

Changes

2024-09-12

Enhancement:

• Added support to parse new format of SYSLOG and JSON logs.

2024-08-08

Enhancement:

• Mapped Acct-NAS-IP-Address to principal.ip.
• Mapped Acct-Username to principal.user.userid.
• Mapped Acct-Calling-Station-Id to principal.user.product_object_id.

2024-05-05

Enhancement:

• Handled unparsing SYSLOG format logs.
• Mapped prin_port to principal.port.
• Mapped agent_ip to principal.ip and principal.asset.ip.
• Mapped descr and eventDescription to metadata.description.
• Mapped version to metadata.product_version.
• Mapped specificTrap_name, uptime, enterprise, generic_num, specificTrap_num, and community to additional.fields.

2024-01-11

Enhancement:

• Mapped Common.NAS-IP-Address to target.ip.
• Mapped Common.Service, Common.Enforcement-Profiles, and Common.Login-Status to security_result.detection_fields.

2022-08-18

Enhancement:

• Handled the dropped logs which are in CEF format and unparsed logs to improve the parsing rate.
• Mapped metadata.event_type to STATUS_UPDATE where principal.hostname/principal.ip is not null else mapped it as GENERIC_EVENT.

2022-07-08

Enhancement:

• Modified mapping for _target_user_groupid from target.user.groupid to target.user.group_identifiers.
• Modified mapping for Common.Roles from principal.user.groupid to principal.user.group_identifiers.

Need more help? Get answers from Community members and Google SecOps professionals.