Aruba Networks
Aruba Networks is a subsidiary of Hewlett Packard (HP). HP Aruba provides enterprise network access and switching hardware, which devices are the focus of this app.
App Function
First, this app attempts to recognize log messages as coming from an HP Aruba device. It does this two ways: either by observing that the incoming syslog message "program" field is a numeric code (an Aruba Message ID), or determining that the log message text matches the Aruba message template (examples given below).
If the log message is recognized as originating from an HP Aruba device,
the log message "program" field is changed to HP_Switch, the Aruba event
id is prepended to the log message text, and user tags are set as explained
below.
Secondarily, the app has a minor function for "SSH Telnet" events, in which
the app will extract the source IP of the incoming SSH connection and
correspondingly set the SrcIP user tag.
Vendor Documentation
- HP Aruba - Network switches for enterprise
- Aruba Central - How to Configure Logs and TFTP Dump Servers
Incoming Log Format
The incoming log messages are received through syslog as standard syslog messages. The message text itself consists first of a date-timestamp followed by an IP address. This primary date-timestamp and IP may be followed by a second pair of similar fields. The secondary date-timestamp may not equal the primary date-timestamp but usually is within a few seconds.
Next, the log message text is usually followed with the Aruba event id. In certain cases this does not hold true, and at the moment log messages falling in this category are not processed.
After the event id is a type code, followed by :, then a phrase indicating
the particular log event details. This phrase may contain data such as IP
addresses or port numbers, but the contents are not delimited in any way and
are not in fixed locations.
Parsed Metadata Fields
With the exception of SSH access messages (explained below) the only field parsed from the Aruba event messages is the Aruba event id. However this Aruba event id is used to look up the corresponding Aruba event category name. User tags are set for these two elements.
The exception for SSH access messages as mentioned above is that there is a single field parsed from messages of that type: the source IP initiating the SSH connection.
| Tagged | Tag Name | Example | Description |
|---|---|---|---|
| ☑ | HP Event ID |
00419 |
the Aruba event id of the log message |
| ☑ | HP Category |
Authentication |
the category of this event |
| ☑ | SrcIP |
192.168.0.1 |
source IPv4 address of the SSH connection |
Log Examples
Incoming Telnet Connection
Jul 2 04:32:53 192.168.1.59 Jul 2 03:32:54 192.168.1.59
00179 mgr: SME TELNET from 192.168.0.100 - MANAGER Mode
Port Going Off-Line
Packet Errors
Aruba Categories
| Category |
|---|
802.1x |
Accounting |
ACL |
Activate |
Address Manager |
AMP Server |
ARP Protect |
ARP Throttle |
Authentication |
Autorun |
BFD |
BGP |
BPDU |
Bridge |
BYOD Redirect |
Captive Portal |
CDP |
Central |
Chassis |
connfilt |
Console |
COS |
Crypto |
DCA |
DHCP |
DHCP Server |
DHCP Snoop |
DHCPv6 Snoop |
DHCPv6c |
DHCPv6r |
DIPLDv6 |
DLDP |
DMA |
Download |
DT |
Dynamic IP |
Fault |
GARP |
GVRP |
HPESP |
HPESP Cert Mgr |
HTTP |
IDM |
IGMP |
Instrumentation Monitor |
InSysProg |
IP |
IP Address Manager |
IP SLA |
IPSec |
Job Scheduler |
KMS |
LACP |
Licensing |
LLDP |
LLDP MAD |
Load Balancer |
Loop Protect |
MAC Lock |
MACsec |
Manager |
mDNS |
MLD |
MTM |
MVRP |
ND Snoop |
NETINET |
NTP |
OOBM |
OpenFlow |
OSPF |
OSPF3 |
PIM |
Policy |
Ports |
Profile Manager |
psDetect |
QinQ |
RA Guard |
RADIUS |
Rate Limiting |
RIP |
RIPng |
Secure Mode |
Service Tunnel |
sFlow |
SFTP |
Smart Link |
SNMP |
SNTP |
Source IP |
Spanning Tree |
SSH |
SSL |
Stacking |
System |
TACACS |
Telnet |
TFTP |
TimeP |
TLS |
TR-069 |
Transparent Mode |
Tunneled Node |
UDLD |
UDP Forwarder |
UFD |
Update |
USB |
VLAN |
VRRP |
VSF |
VxLAN Tunnel |
Xmodem |