Aruba Wireless Controller
Aruba wireless controller syslog — client association/disassociation, 802.1X/web/MAC authentication, AP up/down events, WIDS rogue AP detection, and ARM radio channel management across 20 access points.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-wireless-aruba/generator.yml \
--id aruba-wlan \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| 522008 | Auth Success (RADIUS) | ~24.9% | authentication |
| 501030 | Station Associated | ~19.7% | network |
| 501199 | User Authenticated with Role | ~19.8% | authentication |
| 501060 | Station Disassociated | ~14.7% | network |
| 501080 | User De-authenticated | ~7.9% | authentication |
| 501217 | User Entry Deleted | ~7.9% | authentication |
| 522275 | Auth Failed | ~1.6% | authentication |
| 500010 | ARM Channel Change | ~1.2% | configuration |
| 302004 | AP Up | ~0.8% | configuration |
| 404003 | Interfering AP Detected | ~0.8% | intrusion_detection |
| 124001 | Rogue AP Detected (WIDS) | ~0.5% | intrusion_detection |
| 302006 | AP Down | ~0.3% | configuration |
Realism Features
- Correlated client sessions — associated events produce context consumed by disassociation
- Multiple SSIDs — Corp-WiFi (802.1X, 55%), Guest-WiFi (web-auth, 20%), IoT-Network (MAC-auth, 15%)
- 20 access points across 3 buildings (HQ, DC, Branch)
- Rogue AP detection — random SSIDs (NETGEAR-5G, linksys, FreeWiFi) with confidence levels
- ARM channel changes — 2.4GHz: 1/6/11, 5GHz: 36-165 with interference-based reasons
- Authentication failure scenarios — 60% real users (expired creds), 40% unknown/attacker usernames
Sample Output
{
"@timestamp": "2026-02-22T17:46:52+00:00",
"event": {
"action": "user-authentication-successful",
"category": ["authentication"],
"code": "522008",
"outcome": "success"
},
"aruba": {
"wireless": {
"ap_name": "AP-HQ-F2-01",
"auth_method": "802.1x",
"ssid": "Corp-WiFi",
"vlan": 100
}
},
"user": { "name": "jsmith" },
"observer": {
"product": "ArubaOS",
"type": "wireless",
"vendor": "Aruba"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| controller_hostname | aruba-mc01 | Controller hostname |
| controller_ip | 192.168.1.1 | Controller management IP |
| agent_id | b2c3d4e5-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.