Configuring Aruba ClearPass Policy Manager to communicate with QRadar
To collect syslog events from Aruba ClearPass Policy Manager, you must add an external syslog server for the IBM® QRadar® host, then create one or more syslog filters for your syslog server.
About this task
The following table shows the field categories and their default fields that you can use:
| Export template | Predefined field groups | Default-selected columns |
|---|---|---|
| Insight Logs | Radius Authentications |
Auth.Username Auth.Host-MAC-Address Auth.Protocol Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
| Insight Logs | Radius Failed Authentications |
Auth.Username Auth.Host-MAC-Address Auth.NAS-IP-Address CppmNode.CPPM-Node Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
| Insight Logs | RADIUS Accounting |
Radius.Username Radius.Calling-Station-Id Radius.Framed-IP-Address Radius.NAS-IP-Address Radius.Start-Time Radius.End-Time Radius.Duration Radius.Input-bytes Radius.Output-bytes |
| Insight Logs | tacacs Authentication |
tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service tacacs.Auth-Source tacacs.Roles tacacs.Enforcement-Profiles tacacs.Privilege-Level |
| Insight Logs | tacacs Failed Authentication |
tacacs.Username tacacs.Remote-Address tacacs.Request-Type tacacs.NAS-IP-Address tacacs.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
| Insight Logs | WEBAUTH |
Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
| Insight Logs | WEBAUTH Failed Authentications |
Auth.Username Auth.Host-MAC-Address Auth.Host-IP-Address Auth.Protocol Auth.System-Posture-Token CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
| Insight Logs | Application Authentication |
Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service Auth.Source Auth.Roles Auth.Enforcement-Profiles |
| Insight Logs | Failed Application Authentication |
Auth.Username Auth.Host-IP-Address Auth.Protocol CppmNode.CPPM-Node Auth.Login-Status Auth.Service CppmErrorCode.Error-Code-Details CppmAlert.Alerts |
| Insight Logs | Endpoints |
Endpoint.MAC-Address Endpoint.MAC-Vendor Endpoint.IP-Address Endpoint.Username Endpoint.Device-Category Endpoint.Device-Family Endpoint.Device-Name Endpoint.Conflict Endpoint.Status Endpoint.Added-At Endpoint.Updated-At |
| Insight Logs | Clearpass Guest |
Guest.Username Guest.MAC-Address Guest.Visitor-Name Guest.Visitor-Company Guest.Role-Name Guest.Enabled Guest.Created-At Guest.Starts-At Guest.Expires-At |
| Insight Logs | Onboard Enrollment |
OnboardEnrollment.Username OnboardEnrollment.Device-Name OnboardEnrollment.MAC-Address OnboardEnrollment.Device-Product OnboardEnrollment.Device-Version OnboardEnrollment.Added-At OnboardEnrollment.Updated-At |
| Insight Logs | Onboard Certificate |
OnboardCert.Username OnboardCert.Mac-Address OnboardCert.Subject OnboardCert.Issuer OnboardCert.Valid-From OnboardCert.Valid-To OnboardCert.Revoked-At |
| Insight Logs | Onboard OCSP |
OnboardOCSP.Remote-Address OnboardOCSP.Response-Status-Name OnboardOCSP.Timestamp |
| Insight Logs | Clearpass System Events |
CppmNode.CPPM-Node CppmSystemEvent.Source CppmSystemEvent.Level CppmSystemEvent.Category CppmSystemEvent.Action CppmSystemEvent.Timestamp |
| Insight Logs | Clearpass Configuration Audit |
CppmConfigAudit.Name CppmConfigAudit.Action CppmConfigAudit.Category CppmConfigAudit.Updated-By CppmConfigAudit.Updated-At |
| Insight Logs | Posture Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Posture-Healthy Endpoint.Posture-Unhealthy |
| Insight Logs | Posture Firewall Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Firewall-APT Endpoint.Firewall-Input Endpoint.Firewall-Output |
| Insight Logs | Posture Antivirus Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antivirus-APT Endpoint.Antivirus-Input Endpoint. Antivirus-Output |
| Insight Logs | Posture Antispyware Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.Antispyware-APT Endpoint.Antispyware-Input Endpoint.Antispyware-Output |
| Insight Logs | Posture DiskEncryption Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.DiskEncryption-APT Endpoint.DiskEncryption-Input Endpoint.DiskEncryption-Output |
| Insight Logs | Posture Windows Hotfixes Summary |
Endpoint.MAC-Address Endpoint.IP-Address Endpoint.Hostname Endpoint.Usermame Endpoint.System-Agent-Type Endpoint.System-Agent-Version Endpoint.System-Client-OS Endpoint.System-Posture-Token Endpoint.HotFixes-APT Endpoint.HotFixes-Input Endpoint.HotFixes-Output |
| Session Logs | Logged in Users |
Common.Username Common.Service Common.Roles Common.Host-MAC-Address RADIUS.Acct-Framed-IP-Address Common.NAS-IP-Address Common.Request-Timestamp |
| Session Logs | Failed Authentications |
Common.Username Common.Service Common.Roles RADIUS.Auth-Source RADIUS.Auth-Method Common.System-Posture-Token Common.Enforcement-Profiles Common.Host-MAC-Address Common.NAS-IP-Address Common.Error-Code Common.Alerts Common.Request-Timestamp |
| Session Logs | RADIUS Accounting |
RADIUS.Acct-Username RADIUS.Acct-NAS-IP-Address RADIUS.Acct-NAS-Port RADIUS.Acct-NAS-Port-Type RADIUS.Acct-Calling-Station-Id RADIUS.Acct-Framed-IP-Address RADIUS.Acct-Session-Id RADIUS.Acct-Session-Time RADIUS.Acct-Output-Pkts RADIUS.Acct-Input-Pkts RADIUS.Acct-Output-Octets RADIUS.Acct-Input.Octets RADIUS.Acct-Service-Name RADIUS.Acct-Timestamp |
| Session Logs | tacacs+ Administration |
Common.Username Common.Service tacacs.Remote-Address tacacs.Privilege.Level Common.Request-Timestamp |
| Session Logs | tacacs+ Accounting |
Common.Username Common.Service tacacs.Remote-Address tacacs.Acct-Flags tacacs.Privilege.Level Common.Request-Timestamp |
| Session Logs | Web Authentication |
Common.Username Common.Host-MAC-Address WEBAUTH.Host-IP-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp |
| Session Logs | Guest Access |
Common.Username RADIUS.Auth-Method Common.Host-MAC-Address Common.Roles Common.System-Posture-Token Common.Enforcement-Profiles Common.Request-Timestamp |
| Session Logs | Network Access |
Common.Username Common.Service Common.Roles Common.NAS-IP-Address Common.Request-Timestamp |
Procedure
- Log in to your Aruba ClearPass Policy Manager server.
- Start the Administration Console.
- Click .
- Click Add, and then configure the details for the QRadar host.
- On the Administration Console, click
- Click Add.
- Select LEEF for the Export Event Format Type, and then select the Syslog Server that you added.
- Click Save.