Documentation Center
AlienVault® USM Anywhere™

Aruba ClearPass

When you configure Aruba ClearPass to send log data to USM Anywhere, you can use the Aruba ClearPass plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Aruba
Device Type Network Access Control
Connection Type Syslog

Integrating Aruba ClearPass

Before you configure the Aruba ClearPass integration, you must have the IP Address of the USM Anywhere Sensor.

You configure Aruba ClearPass to send syslog messages to USM Anywhere using the Aruba ClearPass Policy Manager. To configure the logs, select Administration > Server Manager > Log Configuration.

There are two parts to Aruba ClearPass log configuration

  • Service Log Configuration
  • System Level Configuration

To perform Aruba ClearPass Service Log Configuration

  1. From the Log Configuration page, select the Service Log Configuration tab.

  2. From the Select Server drop-down, specify the server for which you want to configure logs.

    All nodes in the cluster appear in the drop-down list.

  3. Specify the service for which you want to configure logs.
  4. Select the Module Log Level Settings check box to set the log level for each module individually (listed in decreasing level of verbosity.

    For optimal performance, run Policy Manager with the log level set to ERROR or FATAL):

    • DEBUG
    • INFO
    • WARN
    • ERROR
    • FATAL

    Note: If this option is disabled, then all module level logs are set to the default log level.

  5. Specify the default logging level for all modules.

    The Default Log Level drop-down list is available if the Module Log Level Settings option is disabled. Available options include the following:

    • DEBUG
    • INFO
    • WARN
    • ERROR
    • FATAL

    Note: Set the default levels first, and then override any specific modules as necessary. For operation with USM Anywhere, the default log level is typically set to WARN, since it is usually safe to ignore DEBUG and INFO messages.

  6. Click Save to save changes. (To restore the default settings, click Restore Defaults.)

To perform Aruba ClearPass System Level Configuration

  1. From the Log Configuration page, select the System Level tab.

  2. Specify the server for which you want to configure logs.
  3. Specify the number of log files of a specific module to keep at any given time.

    When a log file reaches the specified size (see Limit each log file size to), Policy Manager rolls the log over to another file until the specified number of log files is reached. Once the number of log files exceeds the specified value, Policy Manager overwrites the oldest file.

  4. Specify the size of each log file before the log rolls over to the next file.

    The default value is 50 MB.

  5. Syslog Settings:

  6. Specify the name of the syslog server (which, in this case, is the USM Anywhere Sensor).

    Policy Manager sends the configured module logs to this syslog server.

  7. Specify the syslog server port number.

    The default UDP port number is 514. The default TCP port number is 601.

  8. To override the Syslog Filter Level for a service, select the Enable Syslog check box.
  9. If desired, change the Syslog Filter Level.

    The current Syslog Filter level is based on the default log level specified on the Service Log Configuration tab.

  10. Click Save to save your changes. (To restore the default settings, click Restore Defaults.)

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0
  • customheader_0
  • destination_hostname
  • duration
  • event_description
  • event_name
  • event_severity
  • plugin_device
  • plugin_device_type
  • source_hostname
  • source_port
  • source_username

Additional Resources and Troubleshooting

http://www.arubanetworks.com/techdocs/ClearPass/6.6/PolicyManager/index.htm#CPPM_UserGuide/Admin/administration.html

For troubleshooting, see the vendor documentation.