Collect Aruba Wireless Controller and Access Point logs

Supported in:

This document explains how to collect Aruba Wireless Controller and Access Point logs by using Bindplane. The parser processes SYSLOG messages, extracting fields related to observer, intermediary, and access point details. It then maps these fields to the Unified Data Model (UDM), enriching the event data with security result severity and handling various error conditions during the process.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to an Aruba Wireless Controller.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        udplog:
            # Replace the port and IP address as required
            listen_address: "0.0.0.0:514"
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the path to the credentials file you downloaded in Step 1
            creds: '/path/to/ingestion-authentication-file.json'
            # Replace with your actual customer ID from Step 2
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # Add optional ingestion labels for better organization
            ingestion_labels:
                log_type: ARUBA_WIRELESS
                raw_log_field: body
    
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - udplog
                exporters:
                    - chronicle/chronicle_w_labels
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent
    
  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure Aruba Wireless Controller and Access Point

  1. Sign in to the Aruba controller web UI.
  2. Go to the top menu and select Configuration > System.
  3. Select Logging to open the logging configuration page.
  4. In the Syslog servers section, click + Add to add a new syslog server.
  5. A new form will appear where you need to enter the following details:
    • Name: enter a unique name for the syslog server; for example, Google SecOps Syslog.
    • IP Address: enter the Bindplane IP address.
    • Port: enter the Bindplane port number (typically 514 for UDP).
    • Logging Facility: select local 6 from the menu (this is commonly used for network devices).
    • Logging Level: select Informational to capture information logs.
    • Format: select bsd-standard format (this is the default syslog format used by Aruba controllers).
  6. Click Submit to save your settings.
  7. Click Pending Changes.
  8. Click Deploy Changes to apply the new syslog server configuration.

  9. Go to the Logging Level settings and set the Logging Level to Informational for each of the following categories:

    • Network
    • All
    • Cluster
    • DHCP
    • GP
    • Mobility
    • Packet-Dump
    • SDN

UDM Mapping Table

Log Field UDM Mapping Logic
Additional Info read_only_udm.security_result.description The value of Additional Info from the raw log is mapped to the UDM field security_result.description.
AP read_only_udm.target.hostname When present in the raw log, the value after AP: is extracted and mapped to the UDM field target.hostname.
BSSID read_only_udm.target.mac, read_only_udm.principal.resource.name (when resource type is BSSID) The BSSID value from the raw log is mapped to target.mac. It's also used as the resource name when the principal.resource.type is BSSID.
COMMAND read_only_udm.principal.process.command_line The command value from the raw log is mapped to the UDM field principal.process.command_line.
Dst-MAC read_only_udm.target.mac When present, the Dst-MAC value from the raw log is mapped to the UDM field target.mac.
SERVER read_only_udm.target.hostname When present, the server name from the raw log is mapped to the UDM field target.hostname.
SERVER-IP read_only_udm.target.ip When present, the server IP from the raw log is mapped to the UDM field target.ip.
Src-MAC read_only_udm.principal.mac When present, the Src-MAC value from the raw log is mapped to the UDM field principal.mac.
SSID read_only_udm.target.resource.name (when resource type is SSID) The SSID value from the raw log is used as the resource name when the target.resource.type is SSID.
USER read_only_udm.target.user.userid When present, the user ID from the raw log is mapped to the UDM field target.user.userid.
USERIP read_only_udm.principal.ip, read_only_udm.observer.ip When present, the user IP from the raw log is mapped to the UDM field principal.ip and observer.ip.
USERMAC read_only_udm.principal.mac When present, the user MAC from the raw log is mapped to the UDM field principal.mac.
USERNAME read_only_udm.principal.user.userid When present, the username from the raw log is mapped to the UDM field principal.user.userid.
action read_only_udm.security_result.action The action value from the raw log (e.g., permit, deny) is mapped to the UDM field security_result.action.
apname read_only_udm.target.hostname When present, the AP name from the raw log is mapped to the UDM field target.hostname.
bssid read_only_udm.target.mac When present, the BSSID value from the raw log is mapped to the UDM field target.mac.
collection_time.seconds read_only_udm.metadata.event_timestamp.seconds The seconds value of the collection time from the raw log is mapped to the UDM field metadata.event_timestamp.seconds.
device_ip read_only_udm.intermediary.ip The device IP from the raw log or from logstash is mapped to the UDM field intermediary.ip.
dstip read_only_udm.target.ip When present, the destination IP from the raw log is mapped to the UDM field target.ip.
dstport read_only_udm.target.port When present, the destination port from the raw log is mapped to the UDM field target.port.
event_id read_only_udm.metadata.product_event_type The event ID from the raw log is used to construct the metadata.product_event_type field in the UDM, prefixed with Event ID:.
event_message read_only_udm.security_result.summary The event message from the raw log is mapped to the UDM field security_result.summary.
log.source.address read_only_udm.observer.ip The log source address is mapped to the UDM field observer.ip.
log_type read_only_udm.metadata.log_type The log type from the raw log is mapped to the UDM field metadata.log_type.
logstash.collect.host read_only_udm.observer.ip or read_only_udm.observer.hostname The logstash collect host is mapped to either observer.ip if it's an IP address, or observer.hostname if it's a hostname.
logstash.ingest.host read_only_udm.intermediary.hostname The logstash ingest host is mapped to the UDM field intermediary.hostname.
logstash.process.host read_only_udm.intermediary.hostname The logstash process host is mapped to the UDM field intermediary.hostname.
program read_only_udm.target.application The program name from the raw log is mapped to the UDM field target.application.
serverip read_only_udm.target.ip When present, the server IP from the raw log is mapped to the UDM field target.ip.
servername read_only_udm.target.hostname When present, the server name from the raw log is mapped to the UDM field target.hostname.
srcip read_only_udm.principal.ip When present, the source IP from the raw log is mapped to the UDM field principal.ip.
srcport read_only_udm.principal.port When present, the source port from the raw log is mapped to the UDM field principal.port.
syslog_host read_only_udm.intermediary.hostname The syslog host from the raw log is mapped to the UDM field intermediary.hostname.
timestamp read_only_udm.metadata.event_timestamp The timestamp from the raw log is parsed and mapped to the UDM field metadata.event_timestamp.
userip read_only_udm.principal.ip, read_only_udm.observer.ip When present, the user IP from the raw log is mapped to the UDM field principal.ip and observer.ip.
usermac read_only_udm.principal.mac When present, the user MAC from the raw log is mapped to the UDM field principal.mac.
username read_only_udm.principal.user.userid When present, the username from the raw log is mapped to the UDM field principal.user.userid. Derived from the event_id and logic within the parser. Determined by the parser based on the event ID and log message content. Hardcoded to Wireless. Hardcoded to Aruba. Determined by the parser based on the event ID and log message content. Determined by the parser based on the event ID and log message content. Extracted from the raw log message using regex. Determined by the parser based on the event ID and log message content. An empty object is added when the event_type is USER_LOGIN or a related authentication event. Determined by the parser based on the network protocol used in the event (e.g., TCP, UDP, ICMP, IGMP). Contains additional fields extracted from the raw log based on specific conditions. For example, the ap_name is added as a key-value pair when present. Set to BSSID when a BSSID is present in the principal's context. Set to SSID when an SSID is present in the target's context. Contains key-value pairs of relevant detection information extracted from the raw log, such as BSSID or SSID.

Changes

2024-12-27

Enhancement:

  • Added a Grok pattern to support new pattern of syslog logs.

2024-09-04

Enhancement:

  • Added support for a new pattern of SYSLOG logs.

2024-08-26

Enhancement:

  • Added support to handle unparsed SYSLOG logs.
  • Mapped details to metadata.description.

2024-06-18

Enhancement:

  • Added support to handle unparsed SYSLOG logs.

2024-04-18

Enhancement:

  • Added a Grok pattern to extract valid value from ap_name.
  • Mapped ap_name to additional.fields.

2023-05-25

Bug fix:

  • Parsed logs failing due to a different log pattern.

2022-09-15

Bug fix:

  • Modified grok pattern to parse logs which may have date field in the timestamp of log and also certain logs may not have key userip in the log.
  • Modified metadata.event_type from GENERIC_EVENT to STATUS_UPDATE wherever possible.

2022-08-23

Enhancement:

  • Migrated customer specific parser to default parser.
  • Modified mapping for 'metadata.event_type' from 'GENERIC_EVENT' to 'USER_RESOURCE_ACCESS' where event_id is '132053'.

2022-03-30

Enhancement:

  • Added following new Event Ids 124003, 126037, 126038, 199801, 235008, 235009, 304119, 306602, 326091, 326098, 326271, 326272, 326273, 326274, 326275, 326276, 326277, 326278, 326284, 341004, 350008, 351008, 358000, 393000, 399815, 520013, 522274, 541004
  • Changed metadata.event_type where the Event Id is 126034, 126064, 127064, 132006, 132030, 132093, 132094, 132197 from GENERIC_EVENT to SCAN_UNCATEGORIZED
  • Changed metadata.event_type where the Event Id is 132207 from GENERIC_EVENT to NETWORK_CONNECTION
  • Changed metadata.event_type where the Event Id is 520002 from GENERIC_EVENT to USER_UNCATEGORIZED
  • Mapped intermediary.hostname, intermediary.mac, intermediary.ip, target.application, target.process.pid
  • Mapped logstash.irm_site, logstash.irm_environment, logstash.irm_region to additional.fields

Need more help? Get answers from Community members and Google SecOps professionals.