IBM Security QRadar

 View Only
  • 1.  Aruba ClearPass Policy Manager error messages in Qradar

    Posted Tue February 20, 2024 09:52 AM

    Hi Guys,
    Kindly need support in blew issue:
    We have aruba clearpass manger integrated with Qradar and we are receiving stored error
    we contacted support aruba support and there are no issues form auba side 
    today i made a change [changed in aruba side the protocol from udp to tcp and saved to test then changed it again to UDP ] after this changes all coming logs became stored and we receiving uncompleted  payload .

    Clearpass version : 6.9.4.130839  -  C2000V


    Thanks.



    ------------------------------
    Khaled Nasr
    ------------------------------


  • 2.  RE: Aruba ClearPass Policy Manager error messages in Qradar

    Posted Tue March 05, 2024 05:32 AM

    Hello,

    For this type of integartion support we would need a support case to collect logs to help troubleshoot this issue. 
     Regards



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------



  • 3.  RE: Aruba ClearPass Policy Manager error messages in Qradar

    Posted Wed March 06, 2024 05:18 AM

    Hello,
    Thank you @Comghall Morgan for your reply 

    Kindly note that we already contacted support for this and they replied to us to contact Aruba Support 

    we contacted Aruba support before that and they confirmed that no thing to modify from aruba side 

    Note that: we have all logs with correct format except these type under Radius category .

    Thanks 



    ------------------------------
    Khaled Nasr
    ------------------------------



  • 4.  RE: Aruba ClearPass Policy Manager error messages in Qradar

    Posted Fri March 08, 2024 06:00 AM

    Hello,

    If you have a case number I can follow up and see where the investigation went. 
    Though looking at the payload in the example, it appears not to be in LEEF format thus the parser/DSM/Log source type is not able to understand the payload, which is causing these events to get categorised as STORED.

    <135>Mar 01 14:53:03 x.x.x.x LEEF:1.0|Aruba Networks|ClearPass|6.9.4.130839|3010|messageId=36399-1-0Auth.Username=anonymous-outer Auth.Host-MAC-Address=xyz12345678 src=x.x.x.xdevTimeFormat=MMM <135>Mar 01 14:53:03 x.x.x.x LEEF:1.0|Aruba Networks|ClearPass|6.9.4.130839|3010|messageId=36412-1-0Auth.Username=Someone Auth.Host-MAC-Address=xyz12345678 src=x.x.x.xdevTimeFormat=MMM

    Sample Event: https://www.ibm.com/docs/en/dsm?topic=manager-aruba-clearpass-policy-sample-event-message

    At the moment below record types are supported(https://www.ibm.com/docs/en/dsm?topic=networks-aruba-clearpass-policy-manager)

    Session Audit System Insight

    Regards,



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------