02-29-2016 08:05 PM - edited 02-29-2016 08:06 PM
I'm looking to update our logging statements to integrate our wireless platform better with our Splunk deployment, but I've run into a frustrating configuration issue. The messages I'm concerned with right now are message id 501199:
User authenticated, mac-[mac:%m], username-[name:%s], IP-[ip:%p], method- [method:%d], role-[role:%s
This is a NOTICE level message according to the 6.4.x Syslog Messages Guide. My logging level for my Splunk collectors are set to INFORMATIONAL, but I do not receive these messages. TAC has told be that I need to set my logging level to debugging in order to receive this message. That method works and I receive the message above with severity level of NOTICE, but with my logging level set to debugging, I end up with a huge amount of additional logs.
Am I missing something very obvious here? Every other device that I set up logging for, I choose the severity level in my log server statement and all syslog messages with that severity and worse are then forwarded. Does Aruba have a different method?
03-05-2016 04:36 AM
your already in contact with TAC, ask them i would say. in principe it works like with other devices in my experience, but haven't worked specially with this message so it might be different.
06-15-2016 07:25 AM
I had success getting this message when using these settings.
<501199> <NOTI> <IAP IP address/IAP MAC> User authenticated, mac-[mac:%m], username-[name:%s], IP-[ip:%p], method-[method:%s],role-[role:%s]