Wireless Access

Reply
Occasional Contributor I

Syslog Sanity Check

I'm looking to update our logging statements to integrate our wireless platform better with our Splunk deployment, but I've run into a frustrating configuration issue. The messages I'm concerned with right now are message id 501199:

User authenticated, mac-[mac:%m], username-[name:%s], IP-[ip:%p], method- [method:%d], role-[role:%s

This is a NOTICE level message according to the 6.4.x Syslog Messages Guide. My logging level for my Splunk collectors are set to INFORMATIONAL, but I do not receive these messages. TAC has told be that I need to set my logging level to debugging in order to receive this message. That method works and I receive the message above with severity level of NOTICE, but with my logging level set to debugging, I end up with a huge amount of additional logs.

 

Am I missing something very obvious here? Every other device that I set up logging for, I choose the severity level in my log server statement and all syslog messages with that severity and worse are then forwarded. Does Aruba have a different method?

Re: Syslog Sanity Check

your already in contact with TAC, ask them i would say. in principe it works like with other devices in my experience, but haven't worked specially with this message so it might be different.

Occasional Contributor I

Re: Syslog Sanity Check

I had success getting this message when using these settings. 

<501199> <NOTI> <IAP IP address/IAP MAC> User authenticated, mac-[mac:%m], username-[name:%s], IP-[ip:%p], method-[method:%s],role-[role:%s]

Firmware 6.4

syslog notice.PNG

 

Occasional Contributor I

Re: Syslog Sanity Check

Thanks for the response. That confirms that the IAP platform behaves as I expected. Looks like the AOS platform handles logging differently.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: