Security

Reply
Highlighted
Occasional Contributor II

Ingress Events and Field Mapping

Hi,

I've created a new Ingress Events Dictionaries, in which I parse logs.

In Monitoring » Live Monitoring » Access Tracker I see assigned values

event1.PNG

unfortunately, when enforcing policies, it does not honor mapped values

event2.PNG

when I use pre-defined events that are mapped, everything works.

is it possible to edit predefined events or where I can create such type of events?


Accepted Solutions
Highlighted
MVP Expert

Re: Ingress Events and Field Mapping

I think you missed a small piece of code in you xml. You can download an example of other IEE dictionary from ClearPass and look for a ruby code. You need to add it to your file and modify the line:

newFieldName = 'Event:Fortigate:'+ k

Rafael del Cerro Flores
ACMP, ACCP, ACDX#324, ACCX#711

View solution in original post


All Replies
Highlighted
Moderator

Re: Ingress Events and Field Mapping

My guess is it's because blocked vs Blocked.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
MVP Expert

Re: Ingress Events and Field Mapping

Also check the xml: in the Access Tracker you have attributes as "Event:Action" and in the Enforcemnt Profile you're checking "Event:Fortigate:action". 

In the Ingress Event Dictionary you need to add the "Pattern-Name" with the value "Fortigate" and confirm that it's also in the attributes that you show in the Access Tracker.


Rafael del Cerro Flores
ACMP, ACCP, ACDX#324, ACCX#711
Highlighted
Occasional Contributor II

Re: Ingress Events and Field Mapping

I added the "Pattern-Name" attribute as "fortigate".
Unfortunately, nothing has changed

cppm4.PNG

cppm5.PNG

Highlighted
MVP Expert

Re: Ingress Events and Field Mapping

can you share the xml?


Rafael del Cerro Flores
ACMP, ACCP, ACDX#324, ACCX#711
Occasional Contributor II

Re: Ingress Events and Field Mapping

Here you are

Highlighted
MVP Expert

Re: Ingress Events and Field Mapping

I think you missed a small piece of code in you xml. You can download an example of other IEE dictionary from ClearPass and look for a ruby code. You need to add it to your file and modify the line:

newFieldName = 'Event:Fortigate:'+ k

Rafael del Cerro Flores
ACMP, ACCP, ACDX#324, ACCX#711

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: