01-29-2015 05:34 AM
I have an Aruba controller site that I'm migrating to an IAP 103 cluster with 6 AP's. I had the controller logging Syslog to our SIEM. I set the IAP's to send syslog messages to the same server but I was getting strange results. When I captured the raw syslog messages to another server, I found that some of the messages weren't being sent.
Here is a snippet of the log
Jan 28 00:06:54 2015 10.4.8.137 stm: <124006> <WARN> <10.4.8.137 94:B4:0F:C3:F4:00> UDP srcip=10.4.158.129 srcport=137 dstip=10.2.1.2 dstport=137, action=deny
Jan 28 00:07:00 2015 10.4.8.16 <10.4.8.16 94:B4:0F:C3:F4:DC> syslog: ntpclient(rfc1305print:297): set time from 1422421620.872903 to 1422421620.945485(reference: 3631410395.0347201720, originate: 3631410420.3743673874, receive: 3631410420.4062348431, transmit: 3631410420.4062348431, our-recv: 3631410420.3749076943).
Jan 28 00:07:14 2015 10.4.8.137 cli: <341004> <WARN> <10.4.8.137 94:B4:0F:C3:F4:00> apprf: send data to server.
As you can see the middle one had a different format and its throwing off the SIEM.
My IAP's are ArubaOS (MODEL: 103), Version 18.104.22.168-22.214.171.124
and the logging is
syslog-level warn ap-debug
syslog-level warn network
syslog-level debug security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
Any Ideas. I was going to open up a TAC case just in case this is a bug, but I wanted to make sure it wasn't a config issue before.