Security

 View Only
last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Question about the LEEF Clearpass message format

This thread has been viewed 11 times
  • 1.  Question about the LEEF Clearpass message format

    Posted Sep 20, 2022 03:52 PM
    Hi,
    Can you explain what the field after version (3019 in the example) means? Identifies an event?
    LEEF:1.0|Aruba Networks|ClearPass|6.9.10.134806|3019|

    Regards


  • 2.  RE: Question about the LEEF Clearpass message format

    EMPLOYEE
    Posted Sep 21, 2022 09:36 AM
    It's the EventID. From this guide, the format of a LEEF message is:
    LEEF:Version|Vendor|Product|Version|EventID|​

    There could be a message for the EventID at the end, but you either removed it, or there is no message.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Question about the LEEF Clearpass message format

    Posted Sep 21, 2022 10:25 AM
    Hi,
    Thanks.
    Yes, i removed the rest of the message. Where can we find a table with the correspondence?
    3019 description 3019
    3020 description 3020


  • 4.  RE: Question about the LEEF Clearpass message format

    EMPLOYEE
    Posted Sep 21, 2022 02:24 PM
    I'm not aware of such a table. LEEF is used to integrate with QRadar, and that has a translation table built in to parse the ClearPass messages.

    Most messages should be pretty obvious to understand, and there might be documentation available for SIEM vendors, but if you need that it would be best to work with Aruba Support or through your local Aruba Sales Team.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------