Documentation Center
AlienVault® USM Anywhere™

Aruba Wireless

When you configure Aruba Wireless to send log data to USM Anywhere, you can use the Aruba plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Aruba
Device Type Wireless Security Management
Connection Type Syslog

Integrating Aruba Wireless

Before you configure the Aruba Wireless integration, you must have the IP Address of the USM Anywhere Sensor.

You can specify a syslog server to send syslog messages to external servers either by using the Instant UI or CLI. The following procedures describe both approaches.

To configure Aruba Wireless Instant UI to send log data to USM Anywhere

  1. Starting from the main Instant UI page, click System.
  2. On the System page, select Show advanced options.
  3. Click the Monitoring tab.
  4. In the Syslog server field, type the IP Address of the USM Anywhere Sensor to which you want to send system logs.
  5. Select the required values to configure syslog facility levels, then click OK.

To configure Aruba Wireless CLI to send log data to USM Anywhere

  1. Configure a syslog server:

    (Instant Access Point)(config)# syslog-server <USM-Anywhere-Sensor-IP-Address>

  2. Configure syslog server facility levels:

    (Instant Access Point)(config)# syslog-level <logging-level>
    [ap-debug | network | security | system | user | user-debug |
    wireless]

    (Instant Access Point)(config)# end

    (Instant Access Point)# commit apply

  3. Review syslog logging levels:

    (Instant Access Point)# show syslog-level

    Example:

     

    Logging Level

    -------------

    Facility Level

    -------- -----

    ap-debug warn

    network warn

    security warn

    system warn

    user warn

    user-debug warn

    wireless error

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • audit_reason
  • destination_address
  • destination_port
  • destination_hostname
  • destination_mac
  • event_action
  • event_description
  • event_name
  • policy
  • rep_device_address
  • rep_device_hostname
  • source_hostname
  • source_port
  • source_process
  • source_mac
  • wireless_ap
  • wireless_bssid
  • wireless_channel
  • wireless_ssid

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://community.arubanetworks.com/aruba/attachments/aruba/84/106/1/Troubleshooting+Cheat+Sheet-.pdf