Network Management

Reply
Highlighted
New Contributor
Posts: 2
Registered: ‎03-21-2016

Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

Hi 

We are trying to configure Aruba Controller with IBM Qradar Syslog server and not able to suppress ap logs to the IBM Qradar Syslog server. 

We need logs from the Mobility controller only not from all AP's.

 

config at wlc (Aruba Controller)

voice logging

logging 192.168.X.X type network severity informational facility local7

logging 192.168.X.X type security severity informational facility local7

logging 192.168.X.X type system severity informational facility local7

 

AP logs received at IBM Qradar ( Syslog server)

<190>Apr 18 04:08:07 2016 172.21.11.58 stm[6795]: trace_on: tracing to "/var/log/trace/stm.log" started

<190>Apr 18 04:01:39 2016 172.21.11.58 stm[6795]: trace_rotate_file: rotating /var/log/trace/stm.log

<188>Apr 17 23:23:07 2016 172.21.11.36 sapd[4871]: <404068> <WARN> |AP MXXoom@172.X.X.X sapd|  AM 94:b4:0f:84:a9:a0: ARM Noise Threshold Trigger Current Channel 6 new_rra 11/6

Device Stopped Sending Events (Firewall, IPS, VPN or Switch)

 

Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Need to configure Aruba Controller for syslogs to external server &amp; ap logs need to supp

What kind of logs do you want?  AP messages are part of system messages, so there is no way to turn them off if you desire system messages.  The typical logging level is warnings.  Informational is much more verbose, and that could be why you are seeing so many messages.  Try a logging level of warnings on the system log to get less messages.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎03-21-2016

Re: Need to configure Aruba Controller for syslogs to external server &amp; ap logs need to supp

hi joseph

Thanks for reply.

We need controller related logs only. 

As per your reply, its clear that we don't have an option to configure it


cjoseph wrote:

What kind of logs do you want?  AP messages are part of system messages, so there is no way to turn them off if you desire system messages.  The typical logging level is warnings.  Informational is much more verbose, and that could be why you are seeing so many messages.  Try a logging level of warnings on the system log to get less messages.



.

 

Occasional Contributor II
Posts: 11
Registered: ‎09-16-2014

Re: Need to configure Aruba Controller for syslogs to external server &amp; ap logs need to supp

RK16,

Did you ever get this to work properly?  We are in the beginning phase of implementing QRadar as well and are having the same problem where the AP's are coming through as log sources taking license seats.  I have a ticket opened with TAC but they are not sure why.

Regular Contributor I
Posts: 181
Registered: ‎10-20-2010

Re: Need to configure Aruba Controller for syslogs to external server &amp; ap logs need to supp

Please keep this thread going if you find a solution.  My security team is also interested in controller logs being sent to Qradar.  

Occasional Contributor II
Posts: 11
Registered: ‎09-16-2014

Re: Need to configure Aruba Controller for syslogs to external server &amp; ap logs need to supp

I have my SE coming in next Wed to see if he can help with this issue.  I will update once we have finished.  Is anyone having any luck with QRadar?

Occasional Contributor II
Posts: 11
Registered: ‎09-16-2014

Re: Need to configure Aruba Controller for syslogs to external server &amp; ap logs need to supp

WE FOUND A FIX!!!!  Our QRadar engineer informed us yesterday that IBM has issued a code release which increases the log source limit to 99 million.  He had to sit in on a training session in order to receive the file that would increase our log sources license to 99 million.  

Occasional Contributor II
Posts: 11
Registered: ‎09-16-2014

Re: Need to configure Aruba Controller for syslogs to external server &amp; ap logs need to supp

Here is the response from IBM/QRadar regarding the fix.

 

We have faced similar issue where when we integrated Aruba Controller with QRadar all APs associated to the controller are detected as new log source in Qradar. We have leveraged IBM new announcement to have a work around for this problem.

 

IBM recently announced that they are removing license cap from the log sources. You can email q1pd@us.ibm.com and ask them for new license by which your log sources limit will reach to whooping 99 million.

 

So, if log source license reach to 99 million, we will not have to bother about few hundred or thousand APs.

 

Note: You have to be on at least IBM Qradar version 7.2.8”

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: