Documentation Center
AlienVault® USM Anywhere™

Aruba ClearPass (CEF)

When you configure Aruba ClearPass to send log data to USM Anywhere, you can use the Aruba ClearPass CEF plugin to translate the raw log data into normalized CEF-formatted events for analysis.

Device Details
Vendor Aruba Networks
Device Type Network Access Control
Connection Type Syslog

Integrating Aruba ClearPass (CEF)

Before you configure the Aruba ClearPass integration to send CEF-formatted syslog data to USM Anywhere, you must have the IP Address of the USM Anywhere Sensor.

You configure Aruba ClearPass to send CEF-formatted syslog messages to USM Anywhere using the Aruba ClearPass Policy Manager.

There are four basic parts to Aruba ClearPass log configuration

  • Adding USM Anywhere as a Syslog target
  • Service Log Configuration
  • System Level Configuration
  • Selecting the CEF Output Format

The following procedures detail the steps required to perform each part of the configuration.

Adding USM Anywhere as a Syslog target

To configure syslog options from the Aruba ClearPass Policy Manager interface and add a syslog target:

  1. Select Administration > External Servers > Syslog Targets. The following screen shows the Syslog Targets page:

    The Syslog Targets page provides the following options

    • Add — opens the Add Syslog Target window
    • Import — opens the Import from file window where you can import the syslog target from a file
    • Export All — opens the Export to filewindow where you can export all the syslog target entries to a file
    • Export — opens the Export to file window where you can export individual syslog targets
    • Delete — deletes a syslog target server
  2. To add a syslog target, click the Add link in the top right section of the page.

    The Policy Manager UI displays the Add Syslog Target dialog box:

  3. Enter the details for a new syslog target
    • Host AddressUSM Anywhere Sensor Address
    • Description — a short description of the syslog server
    • Protocol — select either UDP or TCP
    • Server Port — the port number for sending the syslog message

      The default UDP port number is 514. The default TCP port number is 601.

  4. Click Save.

Service Log Configuration

To configure service-level log information, such as the verbosity level of collected log messages

  1. Select Administration > Server Manager > Log configuration.
  2. From the Log Configuration page, select the Service Log Configuration tab.

  3. From the Select Server drop-down list, select the server you want to configure. All nodes in the cluster should appear in the drop-down list.
  4. Specify the service you want to configure from the Select Service drop-down list.
  5. Select the Module Log Level Settings check box to enable setting the log level individually for each module.
  6. From the Default Log Level drop-down list, specify the default logging level for all modules (listed in decreasing level of verbosity):

    • DEBUG
    • INFO
    • WARN
    • ERROR
    • FATAL

  7. Important: The Default Log Level drop-down list is available only if the Module Log Level Settings option is disabled. If this option is disabled, then all module level logs are set to the default log level. It is recommended that you set the default log level first, and then override the specific log level for any individual modules as necessary. For operation with USM Anywhere, the default log level is typically set to WARN, since it is usually safe to ignore DEBUG and INFO messages.

  8. Set the default log level first, and then specify the log level settings for any individual modules, as necessary, in the drop-down list for each module. Available options are the following:

    • DEBUG
    • INFO
    • WARN
    • ERROR
    • FATAL

    Note: For optimal performance, run Policy Manager with the log level set to ERROR or FATAL.

  9. Click Save to save changes. To restore the default settings, click Restore Defaults.

Aruba ClearPass System Level Configuration

To configure system-level log information, such as the port, IP address of Syslog Server, and number of rotating log files to keep

  1. Select Administration > Server Manager > Log configuration.
  2. From the Log Configuration page, select the System Level tab.

  3. From the Select Server drop-down list, specify the server you want to configure.
  4. Specify the Number of log files of a specific module to keep at any given time.
  5. From the Limit each log file size to drop-down list, specify the maximum size (in MB) that a log file can reach before event logging rolls over to the next file. The default value is 50 MB.

    Note: When a log file reaches the specified size limit, the Policy Manager rolls logging over to another file until the specified maximum number of log files is reached. Once the number of log files exceeds the specified value, Policy Manager overwrites the oldest file in its rotation.

  6. Specify the name of the syslog server (which, in this case, is the USM Anywhere Sensor IP Address).
  7. Specify the syslog server port number.

    The default UDP port number is 514. The default TCP port number is 601.

  8. Choose whether to override the syslog filter level for any specific service.
    • To allow override of the syslog filter level for a specific service, select Enable Syslog check box next to the service name.
    • If desired, change the Syslog Filter Level. The current Syslog Server Filter level is based on the default log level specified on the Service Log Configuration tab.
  9. Click Save to save your changes. To restore the default setting, click Restore Defaults.

CEF Output Format

Support for two new Syslog event formats, CEF (Common Event Format) and LEEF (Log Event Extended Format ), has been added in Release 6.5 of Aruba ClearPass. You can select the event format from the Syslog Export Filters page.

Plugin Enablement

The Aruba ClearPass (CEF) plugin will automatically process all messages when the raw message contains "|Aruba Networks|ClearPass|".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • destination_mac
  • destination_username
  • device_event_category
  • device_process_name
  • event_description
  • event_name
  • event_outcome
  • event_receipt_time
  • event_severity
  • rep_device_address
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_address

Additional Resources and Troubleshooting

http://community.arubanetworks.com/aruba/attachments/aruba/SoftwareUserReferenceGuides/52/1/ClearPass%20Policy%20Manager%206.5%20User%20Guide.pdf

For troubleshooting, see the vendor documentation.