Hello,
If you have a case number I can follow up and see where the investigation went.
Though looking at the payload in the example, it appears not to be in LEEF format thus the parser/DSM/Log source type is not able to understand the payload, which is causing these events to get categorised as STORED.
<135>Mar 01 14:53:03 x.x.x.x LEEF:1.0|Aruba Networks|ClearPass|6.9.4.130839|3010|messageId=36399-1-0Auth.Username=anonymous-outer Auth.Host-MAC-Address=xyz12345678 src=x.x.x.xdevTimeFormat=MMM
<135>Mar 01 14:53:03 x.x.x.x LEEF:1.0|Aruba Networks|ClearPass|6.9.4.130839|3010|messageId=36412-1-0Auth.Username=Someone Auth.Host-MAC-Address=xyz12345678 src=x.x.x.xdevTimeFormat=MMM
Sample Event: https://www.ibm.com/docs/en/dsm?topic=manager-aruba-clearpass-policy-sample-event-message
At the moment below record types are supported(https://www.ibm.com/docs/en/dsm?topic=networks-aruba-clearpass-policy-manager)
Session
Audit
System
Insight
Regards,
------------------------------
Comghall Morgan
QRadar Support Architect
IBM
------------------------------
Original Message:
Sent: Wed March 06, 2024 05:17 AM
From: Khaled Nasr
Subject: Aruba ClearPass Policy Manager error messages in Qradar
Hello,
Thank you @Comghall Morgan for your reply
Kindly note that we already contacted support for this and they replied to us to contact Aruba Support
we contacted Aruba support before that and they confirmed that no thing to modify from aruba side
Note that: we have all logs with correct format except these type under Radius category .
Thanks
------------------------------
Khaled Nasr
Original Message:
Sent: Tue March 05, 2024 05:32 AM
From: Comghall Morgan
Subject: Aruba ClearPass Policy Manager error messages in Qradar
Hello,
For this type of integartion support we would need a support case to collect logs to help troubleshoot this issue.
Regards
------------------------------
Comghall Morgan
QRadar Support Architect
IBM
Original Message:
Sent: Tue February 20, 2024 02:22 AM
From: Khaled Nasr
Subject: Aruba ClearPass Policy Manager error messages in Qradar
Hi Guys,
Kindly need support in blew issue:
We have aruba clearpass manger integrated with Qradar and we are receiving stored error
we contacted support aruba support and there are no issues form auba side
today i made a change [changed in aruba side the protocol from udp to tcp and saved to test then changed it again to UDP ] after this changes all coming logs became stored and we receiving uncompleted payload .
Clearpass version : 6.9.4.130839 - C2000V
Thanks.
------------------------------
Khaled Nasr
------------------------------