Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Adding a Syslog Export Filter
Use filters to select the data sent from the Log server to the Syslog server. First add a Syslog Filter as described below. You can then export and apply the Syslog filters separately to different kinds of logs.
To add a syslog export filter:
1. Navigate to > > .
2. From the page, click . The page opens to the tab.
Figure 1 Add Syslog Export Filters Page > General Tab
|
tab shown in the figure above is only visible if you select or as the export template. A syslog filter cannot be added for an Insight Logs export template unless a Predefined Field Group column was selected on the Filters and Columns tab. For more information, see |
The following table describes the
> tab parameters:
Parameter |
Action/Description |
Name |
Enter the name of the syslog export filter. |
Description |
Enter the description that provides additional information about the syslog export filter (recommended). |
Export Template |
Select any one of the templates from the following options:
If you select or , the tab is enabled. For more information, see Filter and Columns Tab. |
Export Event Format Type |
Select any one of the export event formats from the following options: : Select this event format type to send the event types in raw syslog format. This is the default event format type. : Select this event format type to send the event types in Log Enhanced Event Format ( CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs.). In Syslog Targets, CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs.-format field mappings map as many fields as possible for each template. Each template has unique mappings to customstrings, devicecustomdates, and devicecustomnumbers. : Select this event format type to send the event types in Common Event Format (RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 5424. This format is available for all export templates. : Select this event format type to export events in structured syslog format, as specified in
For sample event format types, see Export Event Format Types—Examples. |
Local Facility Level | Set the local facility level for the export event from | to . The default facility level setting is , for user-level messages.
Syslog Servers |
Syslog servers define the receivers of syslog messages sent by servers in the Policy Manager cluster. To add a Policy Manager syslog server, select it from the drop-down list. To add a new Policy Manager syslog server, click the link (for more information, see Adding a Syslog Target). To view details about a syslog server, select the syslog server, then click View Details. To change details about a syslog server, select the syslog server, then click Modify. For more information, see Adding a Syslog Target. To remove a syslog server (from receiving syslog messages), select the syslog server, then click Remove. |
Policy Manager Servers |
You can designate syslog messages to be sent from exactly one server in the Policy Manager cluster or from all of them. To add a Policy Manager server, select it from the drop-down list. To remove the Policy Manager server, select the Policy Manager server, then click Remove. When no servers are listed, syslog messages are sent from all servers in the cluster. |
Export Event Format Types—Examples
This section provides examples of Standard, LEEF Log Event Extended Format. LEEF is a type of customizable syslog event format. An extended log file contains a sequence of lines containing ASCII characters terminated by either the sequence LF or CRLF., CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs., and RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 5424 event format types for the syslog export filter templates.
Standard Event Format Type > Audit Events
The following example describes the Standard event format type for the
syslog export filter template:Mar 20 21:18:56 10.17.5.228 2017-01-19 21:19:50,118 10.17.5.228 Audit Logs 96 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=clusteradmin,Category=Endpoint,Action=ADD,EntityName=34a39527afc0,src=10.17.5.228,Timestamp=Jan 19, 2017 21:18:54 IST
Mar 20 21:20:56 10.17.5.228 2017-01-19 21:21:50,111 10.17.5.228 Audit Logs 97 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=admin,Category=Cluster-wide Parameter,Action=MODIFY,EntityName=Endpoint Context Servers polling interval,src=10.17.5.228,Timestamp=Jan 19, 2017 21:20:22 IST
Mar 21 09:28:59 10.17.5.228 2017-01-20 09:29:54,3 10.17.5.228 Audit Logs 99 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,User=admin,Category=Network Device,Action=REMOVE,EntityName=1.1.1.1,src=10.17.5.228,Timestamp=Jan 20, 2017 09:29:13 IST
Standard Event Format Type > System Events
The following example describes the Standard event format type for the
syslog export filter template:Mar 21 16:46:29 10.17.5.228 2017-01-20 16:47:23,880 10.17.5.228 System Events 0 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=User: arubasupport\nClient IP Address: 10.20.23.178,Category=Logged in,Action=None,Level=INFO,src=10.17.5.228,Component=Support Shell,Timestamp=Jan 20, 2015 16:45:59 IST
Mar 21 16:49:10 10.17.5.228 2017-01-20 16:50:05,210 10.17.5.228 System Events 1 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description='Failed to start ClearPass Virtual IP service',Category=start,Action=Failed,Level=WARN,src=10.17.5.228,Component=ClearPass Virtual IP service,Timestamp=Jan 20, 2017 16:48:53 IST
2015-01-20 16:50:05,210 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.syslog.Syslogger - 2017-01-20 16:50:05,210 10.17.5.228 System Events 2 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=Performed action stop on cpass-domain-server_CPATS,Category=stop,Action=Success,Level=INFO,src=10.17.5.228,Component=cpass-domain-server_CPATS,Timestamp=Jan 20, 2017 16:48:57 IST
2015-01-20 16:50:05,211 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.syslog.Syslogger - 2017-01-20 16:50:05,211 10.17.5.228 System Events 3 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=Performed action start on cpass-domain-server_CPATS,Category=start,Action=Success,Level=INFO,src=10.17.5.228,Component=cpass-domain-server_CPATS,Timestamp=Jan 20, 2017 16:49:00 IST
Standard Event Format Type > Session Events
The following example describes the Standard event format type for the
syslog export filter template:Mar 21 16:31:49 10.17.5.211 2015-01-20 16:32:41,552 10.17.5.211 Radius Session Logs 4 1 0 Common.NAS-IP-Address=10.17.4.7,RADIUS.Acct-Delay-Time=null,RADIUS.Acct-Framed-IP-Address=null,RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com,RADIUS.Acct-Timestamp=null,RADIUS.Acct-Authentic=null,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Host-MAC-Address=58a2b5d05ac9,RADIUS.Acct-Termination-Cause=null,RADIUS.Acct-Service-Name=null,RADIUS.Acct-Session-Time=null,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,RADIUS.Acct-NAS-Port=null,Common.Username=test1,RADIUS.Acct-Session-Id=null,RADIUS.Acct-Called-Station-Id=null,RADIUS.Acct-NAS-Port-Type=null,src=10.17.5.211,RADIUS.Acct-NAS-IP-Address=null,Common.Service=Test Post Authentication Rules,RADIUS.Acct-Input-Pkts=null,RADIUS.Acct-Status-Type=null,RADIUS.Acct-Calling-Station-Id=null,Common.Request-Timestamp=2015-01-20 16:31:46+05:30,RADIUS.Acct-Output-Pkts=null,RADIUS.Acct-Output-Octets=null,RADIUS.Acct-Username=null,RADIUS.Acct-Input-Octets=null
Mar 21 16:31:49 10.17.5.211 2015-01-20 16:32:41,550 10.17.5.211 Radius Session Logs 3 2 0 Common.NAS-IP-Address=10.17.4.7,RADIUS.Acct-Delay-Time=0,RADIUS.Acct-Framed-IP-Address=10.17.4.148,RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com,RADIUS.Acct-Timestamp=2015-01-20 16:31:50+05:30,RADIUS.Acct-Authentic=RADIUS,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.Host-MAC-Address=e0f8471a5450,RADIUS.Acct-Termination-Cause=null,RADIUS.Acct-Service-Name=null,RADIUS.Acct-Session-Time=null,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,RADIUS.Acct-NAS-Port=0,Common.Username=test1,RADIUS.Acct-Session-Id=test1E0F8471A5450-54BE336C,RADIUS.Acct-Called-Station-Id=000B8661CD70,RADIUS.Acct-NAS-Port-Type=Wireless-802.11,src=10.17.5.211,RADIUS.Acct-NAS-IP-Address=10.17.4.7,Common.Service=Test Post Authentication Rules,RADIUS.Acct-Input-Pkts=null,RADIUS.Acct-Status-Type=Start,RADIUS.Acct-Calling-Station-Id=E0F8471A5450,Common.Request-Timestamp=2015-01-20 16:31:45+05:30,RADIUS.Acct-Output-Pkts=null
Mar 21 16:35:58 10.17.5.228 2015-01-20 16:36:52,346 10.17.5.228 Tacacs authetnications 2 1 0 TACACS.Request-Type=TACACS_AUTHORIZATION,TACACS.Enforcement-Profiles=[TACACS Super Admin],TACACS.Acct-Flags=null,TACACS.Authen-Service=AUTHEN_SVC_NONE,TACACS.Acct-Session-Id=null,TACACS.Remote-Address=10.20.23.178,Common.Request-Timestamp=2015-01-20 16:34:54.647+05:30,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,TACACS.Authen-Action=,TACACS.Authen-Method=AUTHEN_METH_TACACSPLUS,Common.Username=a,TACACS.Authen-Type=AUTHEN_TYPE_PAP,TACACS.Auth-Source=[Local User Repository],src=10.17.5.228,TACACS.Privilege-Level=1,Common.Service=[Policy Manager Admin Network Login Service]
Mar 21 16:35:58 10.17.5.228 2017-01-20 16:36:52,346 10.17.5.228 Tacacs authetnications 3 1 0 TACACS.Request-Type=TACACS_AUTHENTICATION,TACACS.Enforcement-Profiles=[TACACS Super Admin],TACACS.Acct-Flags=null,TACACS.Authen-Service=AUTHEN_SVC_NONE,TACACS.Acct-Session-Id=null,TACACS.Remote-Address=10.20.23.178,Common.Request-Timestamp=2017-01-20 16:34:54.647+05:30,TimestampFormat=yyyy-MM-dd HH:mm:ss,S,TACACS.Authen-Action=AUTHEN_ACTION_LOGIN,TACACS.Authen-Method=AUTHEN_METH_TACACSPLUS,Common.Username=a,TACACS.Authen-Type=AUTHEN_TYPE_PAP,TACACS.Auth-Source=[Local User Repository],src=10.17.5.228,TACACS.Privilege-Level=1,Common.Service=[Policy Manager Admin Network Login Service]
LEEF Event Format Type > Insight Logs
The following example describes the LEEF Log Event Extended Format. LEEF is a type of customizable syslog event format. An extended log file contains a sequence of lines containing ASCII characters terminated by either the sequence LF or CRLF. event format type for the syslog export filter template:
Dec 03 2017 16:50:44.085 IST 10.17.4.208 LEEF:1.0|Aruba|ClearPass|6.5.0.69058|0-1-0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:48:41+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS z Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600
CEF Event Format Type > Insight Logs
The following example describes the CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs. event format type for the syslog export filter template:
Dec 03 2017 16:31:28.861 IST 10.17.4.208 CEF:0|Aruba|ClearPass|6.5.0.69058|0-1-0|Insight Logs|0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:28:20+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600
CEF Event Format Type > Audit Logs
The following example describes the CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs. event format type for the syslog export filter template:
Nov 19 2017 18:22:40.700 IST 10.17.4.221 CEF:0|Aruba|ClearPass|6.5.0.68754|13-1-0|Audit Records|5|cat=Role timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz rt=Nov 19, 2014 18:21:13 IST src=Test Role 10 act=ADD usrName=admin
LEEF Event Format Type > Audit Logs
The following example describes the LEEF Log Event Extended Format. LEEF is a type of customizable syslog event format. An extended log file contains a sequence of lines containing ASCII characters terminated by either the sequence LF or CRLF. event format type for the syslog export filter template:
Nov 19 2017 14:31:10.422 IST 10.17.4.221 LEEF:1.0|Aruba|ClearPass|6.5.0.68754|0-1-0|cat=Syslog Export Data devTime=Nov 19, 2014 14:30:35 IST action=ADD src=Audit Events - LEEF usrName=admin devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z
LEEF Event Format Type > System Events
The following example describes the LEEF Log Event Extended Format. LEEF is a type of customizable syslog event format. An extended log file contains a sequence of lines containing ASCII characters terminated by either the sequence LF or CRLF. event format type for the syslog export filter template:
Dec 02 2017 20:38:40.901 IST 10.17.4.206 LEEF:1.0|Aruba|ClearPass|6.5.0.68878|295-1-0|cat=start devTime=Dec 02, 2014 20:38:12 IST level=WARN description='Failed to start ClearPass Virtual IP service' action=Failed src=ClearPass Virtual IP service devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z
CEF Event Format Type > Session Logs
The following example describes the CEF Common Event Format. The CEF is a standard for the interoperability of event or log-generating devices and applications. The standard syntax for CEF includes a prefix and a variable extension formatted as key-value pairs. event format type for the syslog export filter template:
Dec 01 2017 15:28:40.540 IST 10.17.4.206 CEF:0|Aruba|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=172.21.18.170 RADIUS.Acct-Framed-IP-Address=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=3155 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R00001316-01-547c3b5a RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=578470212 RADIUS.Acct-Username=A_user2 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=786315664
LEEF Event Format Type > Session Logs
The following example describes the LEEF Log Event Extended Format. LEEF is a type of customizable syslog event format. An extended log file contains a sequence of lines containing ASCII characters terminated by either the sequence LF or CRLF. event format type for the syslog export filter template:
Dec 02 2017 15:35:14.944 IST 10.17.4.206 LEEF:1.0|Aruba|ClearPass|6.5.0.68878|1309854-1-0|RADIUS.Acct-Calling-Station-Id=172.21.18.170 RADIUS.Acct-Framed-IP-Address=192.167.203.170 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2017-12-02 15:32:47+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=565 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS z RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R000a5038-01-547d8e47 RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=412895267 RADIUS.Acct-Username=A_user706 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=665942581
RFC 5424 Event Format Type > Session Logs
<151>1 2019-12-10T14:51:47.350Z 192.0.2.1 ClearPass 13683 0-1-0 [timeQuality tzKnown="1"][origin swVersion="6.9.0.170141" software="PolicyManager" ip="192.0.2.1" enterpriseId="1.3.6.1.4.1.14823"][clearPass@14823 RADIUS.Acct-Framed-IP-Address="203.0.113.1" RADIUS.Acct-Input-Octets="191003811" eventId="3004" RADIUS.Acct-Username="user1" RADIUS.Acct-Calling-Station-Id="172.21.18.170" RADIUS.Acct-Service-Name="Authenticate-Only" RADIUS.Acct-Output-Octets="53484221" RADIUS.Acct-NAS-Port="57162" CppmNode.CPPM-Node="192.0.2.1" RADIUS.Acct-Session-Time="2889" RADIUS.Acct-NAS-Port-Type="Wireless-802.11" RADIUS.Acct-Timestamp="2019-12-10 14:51:27.259+00" RADIUS.Acct-NAS-IP-Address="192.0.2.11" RADIUS.Acct-Session-Id="R00000034-01-5defb0ed"]
RFC 5424 Event Format Type > Insight Logs
<167>1 2019-12-10T10:31:05.868Z 192.0.2.1 ClearPass 13683 5-1-0 [timeQuality tzKnown="1"][origin swVersion="6.9.0.170141" software="PolicyManager" ip="192.0.2.1" enterpriseId="1.3.6.1.4.1.14823"][clearPass@14823 eventId="3003" Endpoint.Username="user1" Endpoint.Updated-At="2019-12-10 10:28:47.36002+00" Endpoint.MAC-Address="422300009999" Endpoint.IP-Address="172.168.46.42" Endpoint.Status="Known" Endpoint.Conflict="f" CppmNode.CPPM-Node="192.0.2.1" Endpoint.Added-At="2019-12-10 09:27:41+00"]