Network Management

Reply
New Contributor
Posts: 3
Registered: ‎03-18-2013

Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

[ Edited ]

In reveiwing the User Guide for AirWave 8.2 it specifically states "RAPIDS can be configured to alert administrators via email, SNMP traps, or syslog messages after a threat is identified" yet I can not seem to find where this is configurable. Within the system triggers email and snmp can be configured but not syslog.

 

Anyone have any ideas?

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

http://www.arubanetworks.com/techdocs/AirWave_8_0_Web_Help/UserGuide.htm#AWUserGuide/Chapter2_Config/setup_external_logging.htm?Highlight=syslog

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 3
Registered: ‎03-18-2013

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

This is for infrastructure event logs (device up/down) and audit logs (administrative changes) but I didn't think is also include RAPIDS events.

Contributor II
Posts: 46
Registered: ‎04-24-2013

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

I'm looking for the same info as AirWave aggregates the RAPIDS events for a large deployment that I'm involved in.
Simon
MVP
Posts: 702
Registered: ‎12-01-2010

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

Works mostly like in cjoseph's link:

System > Triggers > Add

Choose type - look for IDS Events section

 

Here's a screenshot of my Rogue Device Detected alert - it sends me an email and a trap to syslog (which aggregates it in our SIEM)

RAPIDS-trigger.png

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
New Contributor
Posts: 3
Registered: ‎03-18-2013

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

Within your trigger setup you are having AirWave send Alert notifications to an NMS and you are selecting your NMS server but when you configure the NMS your only options are snmp there is no option for syslog. Am I missing something?

 

"AMP can send SNMPv1, SNMPv2 traps or SNMPv3 in forms to NMS servers."

MVP
Posts: 702
Registered: ‎12-01-2010

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

You're correct, I got confused.

We send SNMP trap to NMS - a very good example of the wrong thing. Sorry.

For syslog, we pipe all Airwave syslog to our central syslog server and pares the RAPIDS events there.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Contributor II
Posts: 46
Registered: ‎04-24-2013

Re: Configuring AirWave 8.2 RAPIDS to send syslogs events to a SIEM

I fully understand that AirWave is capable to send data to a SIEM.

 

My problem is there is no granularity in what we send to the SIEM. Having too much information is sometime worst than than having none.

 

To aleviate the problem, I've add another SNMP server, which acts as a "proxy" where I filter out the unwanted stuff. This being said, I wish AirWave could make this on its own.

Simon
Search Airheads
Showing results for 
Search instead for 
Did you mean: