Network Management

Reply
New Contributor

Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

In reveiwing the User Guide for AirWave 8.2 it specifically states "RAPIDS can be configured to alert administrators via email, SNMP traps, or syslog messages after a threat is identified" yet I can not seem to find where this is configurable. Within the system triggers email and snmp can be configured but not syslog.

 

Anyone have any ideas?

Guru Elite

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

New Contributor

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

This is for infrastructure event logs (device up/down) and audit logs (administrative changes) but I didn't think is also include RAPIDS events.

Contributor II

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

I'm looking for the same info as AirWave aggregates the RAPIDS events for a large deployment that I'm involved in.
Simon
MVP

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

Works mostly like in cjoseph's link:

System > Triggers > Add

Choose type - look for IDS Events section

 

Here's a screenshot of my Rogue Device Detected alert - it sends me an email and a trap to syslog (which aggregates it in our SIEM)

RAPIDS-trigger.png

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
New Contributor

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

Within your trigger setup you are having AirWave send Alert notifications to an NMS and you are selecting your NMS server but when you configure the NMS your only options are snmp there is no option for syslog. Am I missing something?

 

"AMP can send SNMPv1, SNMPv2 traps or SNMPv3 in forms to NMS servers."

MVP

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

You're correct, I got confused.

We send SNMP trap to NMS - a very good example of the wrong thing. Sorry.

For syslog, we pipe all Airwave syslog to our central syslog server and pares the RAPIDS events there.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Contributor II

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

I fully understand that AirWave is capable to send data to a SIEM.

 

My problem is there is no granularity in what we send to the SIEM. Having too much information is sometime worst than than having none.

 

To aleviate the problem, I've add another SNMP server, which acts as a "proxy" where I filter out the unwanted stuff. This being said, I wish AirWave could make this on its own.

Simon
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: