Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Aruba Introspect


The JSA DSM for Aruba Introspect collects events from an Aruba Introspect device.

The following table describes the specifications for the Aruba Introspect DSM:

Table 1: Aruba Introspect DSM Specifications





DSM name

Aruba Introspect

RPM file name

DSM-ArubaIntrospect--JSA_versionbuild_ number.noarch.rpm

Supported versions




Event format

Name-value pair (NVP)

Recorded event types



Internal Activity



Command & Control

Automatically discovered


Includes identity


Includes custom properties?


More information

To integrate Aruba Introspect with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs, in the order that they are listed, on your JSA Console:
    • DSMCommon RPM

    • ArubaIntrospect DSM RPM

  2. Configure your Aruba Introspect device to send syslog events to JSA.
  3. If JSA does not automatically detect the log source, add an Aruba Introspect log source on the JSA Console. The following table describes the parameters that require specific values for Aruba Introspect event collection:

    Table 2: Aruba Introspect DSM Specifications



    Log Source type

    Aruba Introspect

    Protocol Configuration


    Log Source Identifier

    A unique identifier for the log source.

  4. To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.

    The following table shows a sample event message for Aruba Introspect:

    Table 3: Aruba Introspect Sample Event Message

    Event name

    Low level category

    Sample log message

    Cloud Exfiltration

    Suspicious Activity

    May 6 20:04:38 <Server> May 7 03:04:38 lab-an-node msg_type=alert detection_time= "2016-05-06 20:04:23 -07:00" alert_name="Large DropBox Upload" alert_type="Cloud Exfiltration" alert_category= "Network Access" alert_severity=60 alert_confidence=20 attack_stage =Exfiltration user_name=<Username> src_ip=<Source_IP_address>dest_ip



    ="User<Username>on host uploaded 324.678654 MB to Dropbox on May 05, 2016; compared with users in the whole Enterprise who uploaded an average of 22.851 KB during the same day" alert_id=xxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxx_xxxxxxxx xxxxxxxx_Large_DropBox_Upload

Configuring Aruba Introspect to Communicate with JSA

Before JSA can collect events from Aruba Introspect, you must configure Aruba Introspect to send events to JSA.

  1. Log in to the Aruba Introspect Analyzer.
  2. Configure forwarding.
    1. Click System Configuration > Syslog Destinations.

    2. Configure the following forwarding parameters:

    Table 4: Aruba Introspect Analyzer Forwarding Parameters



    Syslog Destination

    IP or host name of the JSA Event Collector.


    TCP or UDP



  3. Configure notification.
    1. Click System Configuration > Security Alerts / Emails > Add New.

    2. Configure the following forwarding parameters:

    Table 5: Aruba Introspect Analyzer Notification Parameters



    Enable Alert Syslog Forwarding

    Enable the Enable Alert Syslog Forwarding check box.

    Sending Notification

    As Alerts are produced.

    You can customize this setting to send in batches instead of a live stream.


    Your local time zone.


    Leave Query, Severity, and Confidence values as default to send all Alerts. These values can be customized to filter out and send only a subset of Alerts to JSA.

To help you troubleshoot, you can look at the forwarding logs in the /var/log/notifier.log file.

When a new notification is created, as described in Step 3, alerts for the last week that match the Query, Severity, and Confidence fields are sent.