Security, WIDS/WIPS and Aruba ECS

Reply
New Contributor
Posts: 2
Registered: ‎11-28-2010

Syslog and SNMP log collect

Hi there.
I am looking for proper way to gather significant logs for managing security risks.
Before move wireless env. to production, it should be well-prepared against security auditing and enterprise regulations.

Controller is capable for syslog contains many categories to tell us.
What is the proper set of categories or its sub-cateroies to gather following?
Is there any document explaing them ?

- Log-in attempts with authentication
- Device authentication log
- Access time stamp
- MAC and IP address
- Machine host name
- Manage-access log to controller and AP
- Configuration change log
- System status log
- Security incident, such as rogue AP or SSID DOS attack log

Thanks.
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Syslog and SNMP log collect

For authentication attemps, try this: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=2042

Machine hostname is not recorded at all in authentication exchanges, so that is not available unless machine authentication is configured at the radius server. In that case, it will show up in the logs in the article above.

For access log/configuration log, the audit trail is configured here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=751

The system log (which is included in the syslog, by default), will show system status messages.

The IDS/iPS log is part of the wireless log which is in syslog by default.

On the support website under documentation has a MIB reference guide and a Syslog Guide that indicates what logs are sent and what traps are sent.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎11-28-2010

Re: Syslog and SNMP log collect

Colin,

Thank you so much, it helps me a lot !!

Does user authentication log shows time-out expired or logged out with time stamp?
Something that tells user alive time...

Toyo
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Syslog and SNMP log collect

It does NOT show user disconnect time. If you enable user debugging, it will show when the user is removed from the user table, either due to inactivity or the user roamed away:

config t
logging level debug user


show log user 100

A word of warning.... This logging will generate alot of syslog entries!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: