Device Configuration: Aruba Controller

TABLE OF CONTENTS

• Overview
• Prerequisites
• Syslog Configuration on Aruba Controller
• Verification (MSSP Only)

Overview

Aruba Controllers can be configured to forward syslogs to an external collector. This guide provides the steps to integrate Aruba Controllers with ADR SIEM using Syslog forwarding to the CCE (Collection and Control Engine) for centralized monitoring, threat detection, and compliance reporting.

Prerequisites

• Aruba Controller admin credentials (Web UI or CLI).

• CCE IP address (ADR Collector).

• Ensure UDP 514 is open between the Aruba Controller and the ADR CCE.

• ADR SIEM UI access with admin privileges.

Syslog Configuration on Aruba Controller

Option A: CLI Method

1. SSH into the Aruba Controller with admin credentials.

2. Enter configuration mode:

   configure terminal

3. Define the syslog server:

   logging <CCE_IP> severity informational

   • Replace <CCE_IP> with your ADR CCE IP.

   • severity informational ensures all events are captured.

4. Save the configuration:

   write memory

Option B: Web UI Method

1. Log in to the Aruba Controller Web UI.

2. Navigate to:
   Configuration → Management → Syslog Servers

3. Click Add and provide the following details:

   • IP Address: ADR CCE IP

   • Port: 514

   • Transport: UDP

   • Facility: Local0 (or as required)

   • Severity: Informational

4. Click Apply and then Save Configuration.

Verification (MSSP Only)

On CCE (CLI)

Run the following to confirm logs are arriving:

sudo tcpdump -i any port 514 and host <Aruba_Controller_IP> -AAA

On ADR SIEM UI

1. Go to System → Logs and Flows Collection Status.

2. Look under Source Device IP to confirm logs from Aruba Controller are ingested.