Wireless Access

Reply
Occasional Contributor II
Posts: 10
Registered: ‎07-12-2012

Send TCP traffic to syslog server

We have a bunch of RAP's connected over the internet to a mobility controller - we would like to see TCP traffic ( ie: RDP traffic ) from behind the RAP to the internal network of the mobility controller sent to a syslog server. So far we have tried a few times and no luck

 

We called TAC  and they said that is not supported at the moment and that i can use the show datapath session command instead.

 

We would eventually like to send the syslog data to our SIEM solution.

 

RAP-2WG and 650 mobility controller version 6.1.3.3

 

Thanks,

Paolo

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Send TCP traffic to syslog server

What layer2 VLAN is the host on and can it be tunneled through the controller to your infrastructure?  That is the only way.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎07-12-2012

Re: Send TCP traffic to syslog server

Which host are you referring to ? If you are referring to the Server where the clients/user connect via RDP is on then yes it is tunneled through the controller.

 

Ex. Vlan 1 - management side of the controller / same vlan where the syslog server is / same vlan where the Server that the clients connect to.

      Vlan 2 - Client ip / 192.168.80.0 ( remote user )

 

Thanks

     

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Send TCP traffic to syslog server


pyabut wrote:

Which host are you referring to ? If you are referring to the Server where the clients/user connect via RDP is on then yes it is tunneled through the controller.

 

Ex. Vlan 1 - management side of the controller / same vlan where the syslog server is / same vlan where the Server that the clients connect to.

      Vlan 2 - Client ip / 192.168.80.0 ( remote user )

 

Thanks

     


Please let us know what are you trying to do and how it is supposed to function.  What is the purpose of the transport and how should it work?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎07-12-2012

Re: Send TCP traffic to syslog server

Thanks for the reply - Here's my initial post

 --------

We have a bunch of RAP's connected over the internet to a mobility controller - we would like to see TCP traffic ( ie: RDP traffic ) from behind the RAP to the internal network of the mobility controller sent to a syslog server. So far we have tried a few times and no luck

 

We called TAC  and they said that is not supported at the moment and that i can use the show datapath session command instead.

 

We would eventually like to send the syslog data to our SIEM solution.

 

RAP-2WG and 650 mobility controller version 6.1.3.3

 

 

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Send TCP traffic to syslog server


pyabut wrote:

Thanks for the reply - Here's my initial post

 --------

We have a bunch of RAP's connected over the internet to a mobility controller - we would like to see TCP traffic ( ie: RDP traffic ) from behind the RAP to the internal network of the mobility controller sent to a syslog server. So far we have tried a few times and no luck

 

We called TAC  and they said that is not supported at the moment and that i can use the show datapath session command instead.

 

We would eventually like to send the syslog data to our SIEM solution.

 

RAP-2WG and 650 mobility controller version 6.1.3.3

 

 


When you say you want to "See" the traffic behind a RAP, do you mean wired or wireless traffic?  Does it Pass Through the RAP?  If it passes through the RAP, the "show datapath session table" command is the only way we can even see this.  If it is not a client on the RAP, we cannot log traffic.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎07-12-2012

Re: Send TCP traffic to syslog server

We would like to see both wired and wireless traffic and yes it passes through the rap and yes it is a client on the RAP

 

Ok so that kind of traffic doesnt get logged and it only shows via using the command "show datapath session table" ?

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Send TCP traffic to syslog server

[ Edited ]

If it is a client on the RAP, you need to create an ACL in the user role that allows traffic for RDP and then check "log" on the ACL.  It would then show up in the security log.  You can ONLY use this method for clients on a tunneled SSID, or wired tunneled traffic.

 

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-to-perform-legal-interception/td-p/3823

 

If it is NOT tunneled, the only method is the "show datapath" method.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎07-12-2012

Re: Send TCP traffic to syslog server

I already have logging enabled on the acl / user role and i dont see the syslog event. I have the logging level on the security category all at debugging at the moment also

 

 

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Send TCP traffic to syslog server

Well, type "show acl hits" to see if it is even hitting your ACL.  You might not have it configured.  By default it only logs the first packet in a conversation, not every packet.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: