Parsers and Generated Fields
Tag Fields Created by Parser aruba-clearpass
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aruba-clearpass
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.Category |
| `event.type[]` | Array | Vendor.Action, Vendor.Category |
| `event.action` | Copied | Vendor.Action |
| `event.id` | Copied | Vendor.eventId |
| `observer.version` | Copied | Vendor.swVersion |
| `event.outcome` | Determined | Vendor.Action |
| `client.ip` | Extracted | Vendor.Endpoint.IP-Address, Vendor.Description |
| `client.mac` | Extracted | Vendor.Endpoint.MAC-Address |
| `error.message` | Extracted | Vendor.Description |
| `file.name` | Extracted | Vendor.Description |
| `observer.ip` | Extracted | Vendor.RADIUS.Acct-NAS-IP-Address |
| `observer.port` | Extracted | Vendor.RADIUS.Acct-NAS-Port |
| `server.address` | Extracted | Vendor.Description |
| `server.ip` | Extracted | Vendor.CppmNode.CPPM-Node |
| `source.ip` | Extracted | Vendor.RADIUS.Acct-Framed-IP-Address, Vendor.TACACS.Request-Type, Vendor.WEBAUTH.Host-IP-Address, Vendor.Description |
| `source.port` | Extracted | Vendor.Description |
| `user.domain` | Extracted | Vendor.Common.Username |
| `user.name` | Extracted | Vendor.RADIUS.Acct-Username, Vendor.Endpoint.Username, Vendor.Common.Username, Vendor.Description |
| `user.role` | Extracted | Vendor.Description |
| `@timestamp` | Parsed | @timestamp |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| Vendor.Action | event.action | |
| Vendor.eventId | event.id | |
| Vendor.swVersion | observer.version |