I'm looking to update our logging statements to integrate our wireless platform better with our Splunk deployment, but I've run into a frustrating configuration issue. The messages I'm concerned with right now are message id 501199:
User authenticated, mac-[mac:%m], username-[name:%s], IP-[ip:%p], method- [method:%d], role-[role:%s
This is a NOTICE level message according to the 6.4.x Syslog Messages Guide. My logging level for my Splunk collectors are set to INFORMATIONAL, but I do not receive these messages. TAC has told be that I need to set my logging level to debugging in order to receive this message. That method works and I receive the message above with severity level of NOTICE, but with my logging level set to debugging, I end up with a huge amount of additional logs.
Am I missing something very obvious here? Every other device that I set up logging for, I choose the severity level in my log server statement and all syslog messages with that severity and worse are then forwarded. Does Aruba have a different method?