I'm not aware of such a table. LEEF is used to integrate with QRadar, and that has a translation table built in to parse the ClearPass messages.
Most messages should be pretty obvious to understand, and there might be documentation available for SIEM vendors, but if you need that it would be best to work with Aruba Support or through your local Aruba Sales Team.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 21, 2022 10:24 AM
From: edgar faria
Subject: Question about the LEEF Clearpass message format
Hi,
Thanks.
Yes, i removed the rest of the message. Where can we find a table with the correspondence?
3019 description 3019
3020 description 3020
Original Message:
Sent: Sep 21, 2022 09:35 AM
From: Herman Robers
Subject: Question about the LEEF Clearpass message format
It's the EventID. From this guide, the format of a LEEF message is:
LEEF:Version|Vendor|Product|Version|EventID|
There could be a message for the EventID at the end, but you either removed it, or there is no message.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 20, 2022 01:11 PM
From: edgar faria
Subject: Question about the LEEF Clearpass message format
Hi,
Can you explain what the field after version (3019 in the example) means? Identifies an event?
LEEF:1.0|Aruba Networks|ClearPass|6.9.10.134806|3019|
Regards