Console
    Start free

    Collect Aruba ClearPass logs

    Supported in:

    This document explains how to ingest Aruba ClearPass logs to Google Security Operations using the Bindplane agent.

    Aruba ClearPass Policy Manager generates syslog messages for RADIUS authentication, TACACS+, web authentication, endpoint posture, guest access, audit records, and system events. The parser maps extracted fields to the Unified Data Model (UDM).

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the ClearPass Policy Manager
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Privileged access to the ClearPass Policy Manager console

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.

    4. Save the file securely on the system where the Bindplane agent will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

      The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

      The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see the Bindplane agent installation guide .

    Configure the Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/clearpass 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 CLEARPASS 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/clearpass_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/clearpass

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : IP address and port to listen on:
        • 0.0.0.0 to listen on all interfaces (recommended)
        • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Customer ID copied from the Google SecOps console
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

      1. Verify the service is running:

         sudo  
systemctl  
status  
observiq-otel-collector

      2. Check logs for errors:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    • To restart the Bindplane agent in Windows, choose one of the following options:

      • Command Prompt or PowerShell as administrator:

         net stop observiq-otel-collector && net start observiq-otel-collector

      • Services console:

        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

        4. Verify the service is running:

           sc query observiq-otel-collector

        5. Check logs for errors:

            type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure Aruba ClearPass syslog server

    1. Sign in to the ClearPass Policy Managerconsole.
    2. Select Administration > External servers > Syslog targets.
    3. Click Add.
    4. In the Add syslog targetwindow that appears, specify the following details:
      • Host address: enter the Bindplane IP address.
      • Server port: enter the Bindplane port number.
      • Protocol: select UDP(you can also select TCP, depending on your Bindplane configuration).
    5. Click Save.

    Configure syslog export filters

    1. Go to Administration > External servers > Syslog export filters.
    2. Click Add.
    3. In the Add Syslog Filterswindow that appears, specify the following in the Generaltab:
      • Name: enter the syslog export filter name based on the table in Export template items .
      • Export template: select the appropriate export template based on the table in Export template items .
      • Export event format type: select Standard.
      • Syslog servers: select the Bindplane IP address.
    4. In the Export templatelist, when you select the Sessionor Insightexport templates, the Filter and columnstab is enabled. Complete the following steps:
      • Click the Filter and columnstab.
      • Data filter: make sure the default value All requestsis selected.
      • Column selection: select the predefined field group based on the table in Export template items .
      • Selected columns: verify that the automatically populated fields match the table in Export template items .
      • Click the Summarytab.
      • Click Save.
    5. In the Export templatelist, when you select the System eventsand Audit recordsexport templates, the Filter and columnstab is not enabled. Proceed to the Summarytab and click Save.
    6. Repeat steps to add syslog export filters for all Session, Insight, Audit recordsand System eventsexport templates based on the details from the table in Export template items .

    Export template items

    The following table describes the items that you need to configure for each export template. The default fields that are listed in Selected Columns are supported for event parsing. Ensure all fields that are mentioned in the table under Selected columns (default) are present and in the same order. Make sure to create syslog export filter templates exactly as provided in table, including the case-sensitive name of the filter.

    Syslog export filter name (case sensitive) Export template Predefined field groups Selected columns (default)
    ACPPM_radauth
    		Insight Logs Radius Authentications Auth.Username, Auth.Host-MAC-Address, Auth.Protocol, Auth.NAS-IP-Address, CppmNode.CPPM-Node, Auth.Login-Status, Auth.Service, Auth.Source, Auth.Roles, Auth.Enforcement-Profiles
    ACPPM_radfailedauth
    		Insight Logs Radius Failed Authentications Auth.Username, Auth.Host-MAC-Address, Auth.NAS-IP-Address, CppmNode.CPPM-Node, Auth.Service, CppmErrorCode.Error-Code-Details, CppmAlert.Alerts
    ACPPM_radacct
    		Insight Logs RADIUS Accounting Radius.Username, Radius.Calling-Station-Id, Radius.Framed-IP-Address, Radius.NAS-IP-Address, Radius.Start-Time, Radius.End-Time, Radius.Duration, Radius.Input-bytes, Radius.Output-bytes
    ACPPM_tacauth
    		Insight Logs tacacs Authentication tacacs.Username, tacacs.Remote-Address, tacacs.Request-Type, tacacs.NAS-IP-Address, tacacs.Service, tacacs.Auth-Source, tacacs.Roles, tacacs.Enforcement-Profiles, tacacs.Privilege-Level
    ACPPM_tacfailedauth
    		Insight Logs tacacs Failed Authentication tacacs.Username, tacacs.Remote-Address, tacacs.Request-Type, tacacs.NAS-IP-Address, tacacs.Service, CppmErrorCode.Error-Code-Details, CppmAlert.Alerts
    ACPPM_webauth
    		Insight Logs WEBAUTH Auth.Username, Auth.Host-MAC-Address, Auth.Host-IP-Address, Auth.Protocol, Auth.System-Posture-Token, CppmNode.CPPM-Node, Auth.Login-Status, Auth.Service, Auth.Source, Auth.Roles, Auth.Enforcement-Profiles
    ACPPM_webfailedauth
    		Insight Logs WEBAUTH Failed Authentications Auth.Username, Auth.Host-MAC-Address, Auth.Host-IP-Address, Auth.Protocol, Auth.System-Posture-Token, CppmNode.CPPM-Node, Auth.Login-Status, Auth.Service, CppmErrorCode.Error-Code-Details, CppmAlert.Alerts
    ACPPM_appauth
    		Insight Logs Application Authentication Auth.Username, Auth.Host-IP-Address, Auth.Protocol, CppmNode.CPPM-Node, Auth.Login-Status, Auth.Service, Auth.Source, Auth.Roles, Auth.Enforcement-Profiles
    ACPPM_failedappauth
    		Insight Logs Failed Application Authentication Auth.Username, Auth.Host-IP-Address, Auth.Protocol, CppmNode.CPPM-Node, Auth.Login-Status, Auth.Service, CppmErrorCode.Error-Code-Details, CppmAlert.Alerts
    ACPPM_endpoints
    		Insight Logs Endpoints Endpoint.MAC-Address, Endpoint.MAC-Vendor, Endpoint.IP-Address, Endpoint.Username, Endpoint.Device-Category, Endpoint.Device-Family, Endpoint.Device-Name, Endpoint.Conflict, Endpoint.Status, Endpoint.Added-At, Endpoint.Updated-At
    ACPPM_cpguest
    		Insight Logs Clearpass Guest Guest.Username, Guest.MAC-Address, Guest.Visitor-Name, Guest.Visitor-Company, Guest.Role-Name, Guest.Enabled, Guest.Created-At, Guest.Starts-At, Guest.Expires-At
    ACPPM_onbenroll
    		Insight Logs Onboard Enrollment OnboardEnrollment.Username, OnboardEnrollment.Device-Name, OnboardEnrollment.MAC-Address, OnboardEnrollment.Device-Product, OnboardEnrollment.Device-Version, OnboardEnrollment.Added-At, OnboardEnrollment.Updated-At
    ACPPM_onbcert
    		Insight Logs Onboard Certificate OnboardCert.Username, OnboardCert.Mac-Address, OnboardCert.Subject, OnboardCert.Issuer, OnboardCert.Valid-From, OnboardCert.Valid-To, OnboardCert.Revoked-At
    ACPPM_onboscp
    		Insight Logs Onboard OCSP OnboardOCSP.Remote-Address, OnboardOCSP.Response-Status-Name, OnboardOCSP.Timestamp
    ACPPM_cpsysevent
    		Insight Logs Clearpass System Events CppmNode.CPPM-Node, CppmSystemEvent.Source, CppmSystemEvent.Level, CppmSystemEvent.Category, CppmSystemEvent.Action, CppmSystemEvent.Timestamp
    ACPPM_cpconfaudit
    		Insight Logs Clearpass Configuration Audit CppmConfigAudit.Name, CppmConfigAudit.Action, CppmConfigAudit.Category, CppmConfigAudit.Updated-By, CppmConfigAudit.Updated-At
    ACPPM_possummary
    		Insight Logs Posture Summary Endpoint.MAC-Address, Endpoint.IP-Address, Endpoint.Hostname, Endpoint.Usermame, Endpoint.System-Agent-Type, Endpoint.System-Agent-Version, Endpoint.System-Client-OS, Endpoint.System-Posture-Token, Endpoint.Posture-Healthy, Endpoint.Posture-Unhealthy
    ACPPM_posfwsummary
    		Insight Logs Posture Firewall Summary Endpoint.MAC-Address, Endpoint.IP-Address, Endpoint.Hostname, Endpoint.Usermame, Endpoint.System-Agent-Type, Endpoint.System-Agent-Version, Endpoint.System-Client-OS, Endpoint.System-Posture-Token, Endpoint.Firewall-APT, Endpoint.Firewall-Input, Endpoint.Firewall-Output
    ACPPM_poavsummary
    		Insight Logs Posture Antivirus Summary Endpoint.MAC-Address, Endpoint.IP-Address, Endpoint.Hostname, Endpoint.Usermame, Endpoint.System-Agent-Type, Endpoint.System-Agent-Version, Endpoint.System-Client-OS, Endpoint.System-Posture-Token, Endpoint.Antivirus-APT, Endpoint.Antivirus-Input, Endpoint.Antivirus-Output
    ACPPM_posassummary
    		Insight Logs Posture Antispyware Summary Endpoint.MAC-Address, Endpoint.IP-Address, Endpoint.Hostname, Endpoint.Usermame, Endpoint.System-Agent-Type, Endpoint.System-Agent-Version, Endpoint.System-Client-OS, Endpoint.System-Posture-Token, Endpoint.Antispyware-APT, Endpoint.Antispyware-Input, Endpoint.Antispyware-Output
    ACPPM_posdskencrpsummary
    		Insight Logs Posture DiskEncryption Summary Endpoint.MAC-Address, Endpoint.IP-Address, Endpoint.Hostname, Endpoint.Usermame, Endpoint.System-Agent-Type, Endpoint.System-Agent-Version, Endpoint.System-Client-OS, Endpoint.System-Posture-Token, Endpoint.DiskEncryption-APT, Endpoint.DiskEncryption-Input, Endpoint.DiskEncryption-Output
    ACPPM_loggedusers
    		Session Logs Logged in Users Common.Username, Common.Service, Common.Roles, Common.Host-MAC-Address, RADIUS.Acct-Framed-IP-Address, Common.NAS-IP-Address, Common.Request-Timestamp
    ACPPM_failedauth
    		Session Logs Failed Authentications Common.Username, Common.Service, Common.Roles, RADIUS.Auth-Source, RADIUS.Auth-Method, Common.System-Posture-Token, Common.Enforcement-Profiles, Common.Host-MAC-Address, Common.NAS-IP-Address, Common.Error-Code, Common.Alerts, Common.Request-Timestamp
    ACPPM_radacctsession
    		Session Logs RADIUS Accounting RADIUS.Acct-Username, RADIUS.Acct-NAS-IP-Address, RADIUS.Acct-NAS-Port, RADIUS.Acct-NAS-Port-Type, RADIUS.Acct-Calling-Station-Id, RADIUS.Acct-Framed-IP-Address, RADIUS.Acct-Session-Id, RADIUS.Acct-Session-Time, RADIUS.Acct-Output-Pkts, RADIUS.Acct-Input-Pkts, RADIUS.Acct-Output-Octets, RADIUS.Acct-Input.Octets, RADIUS.Acct-Service-Name, RADIUS.Acct-Timestamp
    ACPPM_tacadmin
    		Session Logs tacacs+ Administration Common.Username, Common.Service, tacacs.Remote-Address, tacacs.Privilege.Level, Common.Request-Timestamp
    ACPPM_tacacct
    		Session Logs tacacs+ Accounting Common.Username, Common.Service, tacacs.Remote-Address, tacacs.Acct-Flags, tacacs.Privilege.Level, Common.Request-Timestamp
    ACPPM_webauthsession
    		Session Logs Web Authentication Common.Username, Common.Host-MAC-Address, WEBAUTH.Host-IP-Address, Common.Roles, Common.System-Posture-Token, Common.Enforcement-Profiles, Common.Request-Timestamp
    ACPPM_guestacc
    		Session Logs Guest Access Common.Username, RADIUS.Auth-Method, Common.Host-MAC-Address, Common.Roles, Common.System-Posture-Token, Common.Enforcement-Profiles, Common.Request-Timestamp
    ACPPM_auditrecords
    		Audit Records Not Applicable Not Applicable
    ACPPM_systemevents
    		System Events Not Applicable Not Applicable

    UDM mapping table

    Log field UDM mapping Logic
    Action
    		security_result.action Value is mapped from 'Action' field if its value is 'ALLOW' or 'BLOCK'
    Auth.Enforcement-Profiles
    		security_result.detection_fields.value Value is mapped from 'Auth.Enforcement-Profiles' field
    Auth.Host-MAC-Address
    		principal.mac Value is mapped from 'Auth.Host-MAC-Address' field after converting it to colon-separated MAC address format
    Auth.Login-Status
    		security_result.detection_fields.value Value is mapped from 'Auth.Login-Status' field
    Auth.NAS-IP-Address
    		target.ip Value is mapped from 'Auth.NAS-IP-Address' field
    Auth.Protocol
    		intermediary.application Value is mapped from 'Auth.Protocol' field
    Auth.Service
    		security_result.detection_fields.value Value is mapped from 'Auth.Service' field
    Auth.Source
    		principal.hostname Value is mapped from 'Auth.Source' field after removing any leading alphanumeric characters and spaces
    Auth.Username
    		principal.user.user_display_name Value is mapped from 'Auth.Username' field
    Category
    		metadata.event_type If value is 'Logged in', UDM field is set to 'USER_LOGIN'. If value is 'Logged out', UDM field is set to 'USER_LOGOUT'
    Common.Alerts
    		security_result.description Value is mapped from 'Common.Alerts' field
    Common.Enforcement-Profiles
    		security_result.detection_fields.value Value is mapped from 'Common.Enforcement-Profiles' field
    Common.Login-Status
    		security_result.detection_fields.value Value is mapped from 'Common.Login-Status' field
    Common.NAS-IP-Address
    		target.ip Value is mapped from 'Common.NAS-IP-Address' field
    Common.Roles
    		principal.user.group_identifiers Value is mapped from 'Common.Roles' field
    Common.Service
    		security_result.detection_fields.value Value is mapped from 'Common.Service' field
    Common.Username
    		principal.user.userid Value is mapped from 'Common.Username' field
    Component
    		intermediary.application Value is mapped from 'Component' field
    Description
    		metadata.description Value is mapped from 'Description' field after replacing newline characters with pipe symbol. If 'Description' field contains 'User', 'Address', and 'Role', then it is parsed as key-value pairs and mapped to corresponding UDM fields. If 'Description' field contains 'Unable connection with', then the target hostname is extracted and mapped to 'target.hostname'
    EntityName
    		principal.hostname Value is mapped from 'EntityName' field
    InterIP
    		target.ip Value is mapped from 'InterIP' field
    Level
    		security_result.severity If value is 'ERROR' or 'FATAL', UDM field is set to 'HIGH'. If value is 'WARN', UDM field is set to 'MEDIUM'. If value is 'INFO' or 'DEBUG', UDM field is set to 'LOW'
    LogNumber
    		metadata.product_log_id Value is mapped from 'LogNumber' field
    RADIUS.Acct-Framed-IP-Address
    		principal.ip Value is mapped from 'RADIUS.Acct-Framed-IP-Address' field
    Timestamp
    		metadata.event_timestamp Value is mapped from 'Timestamp' field after converting it to UTC and parsing it as a timestamp
    User
    		principal.user.userid Value is mapped from 'User' field
    agent_ip
    		principal.ip, , principal.asset.ip Value is mapped from 'agent_ip' field
    community
    		additional.fields.value.string_value Value is mapped from 'community' field
    descr
    		metadata.description Value is mapped from 'descr' field
    enterprise
    		additional.fields.value.string_value Value is mapped from 'enterprise' field
    eventDescription
    		metadata.description Value is mapped from 'eventDescription' field after removing quotes
    generic_num
    		additional.fields.value.string_value Value is mapped from 'generic_num' field
    prin_mac
    		principal.mac Value is mapped from 'prin_mac' field after converting it to colon-separated MAC address format
    prin_port
    		principal.port Value is mapped from 'prin_port' field and converted to integer
    specificTrap_name
    		additional.fields.value.string_value Value is mapped from 'specificTrap_name' field
    specificTrap_num
    		additional.fields.value.string_value Value is mapped from 'specificTrap_num' field
    uptime
    		additional.fields.value.string_value Value is mapped from 'uptime' field
    version
    		metadata.product_version Value is mapped from 'version' field
    		extensions.auth.type Value is set to 'SSO'
    		metadata.event_type Value is determined based on various log fields and parser logic. See parser code for details
    		metadata.log_type Value is set to 'CLEARPASS'
    		metadata.product_name Value is set to 'ClearPass'
    		metadata.vendor_name Value is set to 'ArubaNetworks'

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: