Hp Aruba

LogZilla App Store application: Hp Aruba

Overview

HPE Aruba Networking (formerly HP ProCurve) provides enterprise network access and switching hardware. The HPE Aruba app processes log messages from HPE Aruba switches running ArubaOS-Switch (formerly ProVision) firmware, extracting event information and creating user tags for security monitoring, network operations, and system administration.

Supported devices include Aruba 2530, 2540, 2920, 2930F, 2930M, 3800, 3810, 5400R zl2 Series, and legacy HPE 3500, 5406zl, 5412zl, 6200yl, 6600, 8206, 8212 Series switches.

App Function

  • Parse Aruba syslog messages using numeric event IDs and message patterns
  • Extract metadata tags for filtering and analysis
  • Categorize events by Event Class (auth, security, network, system)
  • Map security events to MITRE ATT&CK techniques
  • Provide dashboards for Network, Security, and System monitoring
  • Alert on critical security threats, authentication failures, and hardware events

Vendor Documentation

Device Configuration

Configure the HPE Aruba switch to send logs to LogZilla:

text
configure terminal
logging <logzilla-ip>
logging severity info
write memory

For detailed options, refer to the ArubaOS-Switch Management and Configuration Guide.

Incoming Log Format

Aruba switches send log messages via standard syslog format. The message structure typically follows this pattern:

  1. Primary timestamp and IP - Initial date-timestamp and IP address
  2. Secondary timestamp and IP - Optional second pair (usually within seconds of primary)
  3. Event ID - Aruba-specific numeric event identifier (e.g., "00331")
  4. Category code - Category identifier followed by colon (e.g., "FFI:")
  5. Event details - Descriptive text with event-specific information

Example raw message:

text
Jul 21 10:01:24 192.168.1.24  Jul 21 11:01:21 192.168.1.24 00331 FFI: port 24-High collision or drop rate. See help.

Parsed Metadata Fields

Tag NameExampleDescription
VendorHPEDevice vendor
ProductAruba SwitchDevice product
Event ClasssecurityEvent classification (auth/security/network/system)
Aruba CategoryARP ProtectArubaOS-Switch event category
MitreIdT1557.002MITRE ATT&CK technique ID
MITRE TacticCredential AccessMITRE ATT&CK tactic
VLANVlan100VLAN identifier
SrcIP192.168.0.1Source IP address (HC)
UseradminUsername from auth events (HC)

Log Examples

SSH Connection (auth)

text
Jul 20 14:45:40 192.168.1.76 00179 mgr: SME SSH from 192.168.2.235 - MANAGER Mode

ARP Protection Violation (security)

text
Jul 15 10:23:45 192.168.1.50 00911 arp-protect: Deny ARP REQUEST
00:11:22:33:44:55,10.0.0.100 port 24 vlan 100

Port State Change (network)

text
Jul  2 04:08:40 192.168.1.132 00077 ports: port 4 is now off-line

Chassis Event (system)

text
Jul 10 08:15:22 192.168.1.1 00350 chassis: Fan 1 failed

Dashboards

DashboardDescription
HPE Aruba: NetworkPort events, STP, routing protocols, VLANs
HPE Aruba: SecurityMITRE threats, auth failures, users, source IPs
HPE Aruba: System HealthChassis, stack/VSF, NTP, SNMP events

Triggers

TriggerDescription
HPE Aruba: MITRE ATT&CK Threat DetectedSecurity event with MITRE technique mapping
HPE Aruba: ARP Spoofing DetectedARP protection violation (T1557.002)
HPE Aruba: Authentication Failure802.1x or credential failure (T1110)
HPE Aruba: Unauthorized DeviceMAC lock or rogue device (T1200)
HPE Aruba: Network DoS DetectedFlood or DoS attack (T1499)
HPE Aruba: Port State ChangePort online/offline events
HPE Aruba: Spanning Tree EventSTP topology changes
HPE Aruba: Chassis AlertHardware failure or status change
HPE Aruba: Stack/VSF EventHigh availability state change

Event Class Mapping

Event ClassAruba Categories
auth802.1x, Authentication, SSH, Telnet, Console, Manager, RADIUS, TACACS
securityARP Protect, ARP Throttle, MAC Lock, Loop Protect, BPDU, ACL, MACsec
networkPorts, Spanning Tree, OSPF, BGP, VLAN, LACP, LLDP, VRRP, PIM, IGMP
systemChassis, System, Stacking, VSF, Fault, Licensing, Update, NTP, SNMP
Hp Aruba | LogZilla Documentation