Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎12-12-2012

Logging RAPIDS events to a local file

Hi All,

 

For the purposes of PCI compliance, I am attempting to log rogue access points that are detected via RAPIDS into a central log aggregation/reporting (Splunk) instance. I'm trying to determine where the received SNMP traps are logged to, but:

 

/opt/airwave/sbin/snmptrapd -n -On -A -t ...

 

The "-t" switch in the snmptrapd instance specifies not to write traps to Syslog

 

... -LF e /var/log/snmptrapd ...

 

While this switch specifies to write SNMP messages to /var/log/snmptrapd, all I seem to be getting in here is:

 

couldn't open udp:162 -- errno 98 ("Address already in use")

 

Despite the AirWave GUI saying it has detected rogues???

 

So the question...

 

How can I get AirWave to log rogue/suspected rogues to a file &/or forward these events to a Syslog server?

 

Thanks in advance :-)

Moderator
Posts: 1,252
Registered: ‎10-16-2008

Re: Logging RAPIDS events to a local file

You can try doing the following:

# qlog enable snmp_traps

This will output to /var/log/amp_diag/snmp_traps

 

We typically don't run qlogs on a permanent basis, but if this is getting the information you need, then you can add it into the a custom post nightly script that would make sure this script is enabled.  The log files in the output directory should adhere to regular log rotation that the AMP has set for /var/log.  And then use another script to extract/download the log to a designated host to retain (at the same time, rename the file so that it doesn't overwrite past copies).


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
New Contributor
Posts: 4
Registered: ‎12-12-2012

Re: Logging RAPIDS events to a local file

[ Edited ]

Thans Rob,

 

Unfortunately this appear to be more diagnostics than actual traps being received. Plugging in a rogue AP in the network is detected in the AirWave GUI, but is only reflected in /var/log/amp_diag/snmp_traps as:

 

[...repeat...]

1355439785.563854 1715 handle_trap|class=Mercury::AP:: Dell:: Swarm
1355439785.564499 1715 explicit_drop|reason=no_dispatch_entry
1355439785.565197 1715 handle_trap|class=Mercury::AP:: Dell:: Swarm

[...repeat...]

 

I am currently configuring up a seperate server with a snmptrapd instance to add as an NMS target, but was hoping to handle this locally. If you think of anything else that would help, it would be greatly appreciated.

 

Regards,

 

RT from O2

Moderator
Posts: 1,252
Registered: ‎10-16-2008

Re: Logging RAPIDS events to a local file

The only other thing I can think of would be to use the Daily New Rogue Devices Report and have it emailed externally.  This could be sent to an email address or maintained on the AMP (just be aware of the report age out setting on AMP Setup -> Historical Data Retention).


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
New Contributor
Posts: 4
Registered: ‎12-12-2012

Re: Logging RAPIDS events to a local file

Thanks for your help Rob,

 

The way we ended up approaching this was through setting up the appropriate triggers and monitoring the amp_events log file.

 

Thanks again for your help :-)

Search Airheads
Showing results for 
Search instead for 
Did you mean: