Aruba ClearPass Policy Manager sample event message

Use this sample event message to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Aruba ClearPass Policy Manager sample message when you use the syslog protocol

The following sample event message shows that a user with the username "user2" from IP address 10.1.1.5 is logged in to IP address 10.1.1.4 by using TACACS authentication.

<143>Sep 05 2018 09:10:03.062 CDT aruba.clearpass.test LEEF:1.0|Aruba Networks|ClearPass|6.6.10.106403|3006|messageId=00000001-1-0	Tacacs.Username=user2	Tacacs.Remote-Address=10.1.1.3	Tacacs.Request-Type=TACACS_AUTHORIZATION	Tacacs.NAS-IP-Address=10.1.1.4	Tacacs.Service=Tacacs Service Name	Tacacs.Auth-Source=Tacacs Auth Source Name	Tacacs.Roles= [User Authenticated]|Role Name	Tacacs.Enforcement-Profiles=Enforcement Profile Name	Tacacs.Privilege-Level=1	src=10.1.1.5	devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z	cat=Insight Logs
Table 1. Highlighted fields
QRadar field name Highlighted payload field name
Username Tacacs.Username
Destination IP Address Tacacs.NAS-IP-Address
Source IP Address src