PORT_ACCESS Events

Vendor Documentation

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-8214/Content/fir-int.htm

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-8214.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
PORT_ACCESS Events	Base Rule	General PORT Message	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Event ID	<vmid>	Number	Event ID 10501, 10502, 10503, 10504, 10505, 10506, 10507, 10508, 10509, 10510, 10511, 10512, 10513, 10514, 10515, 10516, 10517, 10518, 10519, 10520, 10521, 10522, 10523, 10524, 10525, 10526, 10527, 10528, 10529, 10530, 10531, 10532, 10533, 10534, 10535
Severity	<severity>	Text/String	For All: Information For 10508, 10509, 10535: Error For 10536: Warning
Message	<subject> <dmac>	Text/String	Event ID 10501: Client was logged-off administratively through command-line interface
	<subject> <dport>	Text/String/Number	Event ID 10502: The port is blocked by port-access daemon
	<subject> <dport>	Text/String/Number	Event ID 10503: The port is unblocked by port-access daemon
	<subject> <dport> <action>	Text/String/Number	Event ID 10504: The authentication mode associated with the port is changed
	<subject> <dport> <size>	Text/String/Number	Event ID 10505: The client limit associated with the port is changed
	<subject> <objectname> <object>	Text/String	Event ID 10506: The name associated with a VLAN in use by port-access daemon changed
	<subject> <policy>	Text/String	Event ID 10507: The policy configuration is updated by the user
	<subject> <dport>	Text/String/Number	Event ID 10508: VLAN is configured as Trunk for some clients and access for others. This could potentially result in traffic loss
	<subject> <dinterface>	Text/String/Number	Event ID 10533: The interface is blocked by port-access daemon
	<subject> <dinterface>	Text/String/Number	Event ID 10534: The interface is unblocked by port-access daemon