Network Management

last person joined: 3 hours ago 

Keep an informative eye on your network with IMC and Airwave network management solutions.
Expand all | Collapse all

Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

Jump to Best Answer
  • 1.  Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

    Posted Apr 19, 2016 07:08 AM

    Hi 

    We are trying to configure Aruba Controller with IBM Qradar Syslog server and not able to suppress ap logs to the IBM Qradar Syslog server. 

    We need logs from the Mobility controller only not from all AP's.

     

    config at wlc (Aruba Controller)

    voice logging

    logging 192.168.X.X type network severity informational facility local7

    logging 192.168.X.X type security severity informational facility local7

    logging 192.168.X.X type system severity informational facility local7

     

    AP logs received at IBM Qradar ( Syslog server)

    <190>Apr 18 04:08:07 2016 172.21.11.58 stm[6795]: trace_on: tracing to "/var/log/trace/stm.log" started

    <190>Apr 18 04:01:39 2016 172.21.11.58 stm[6795]: trace_rotate_file: rotating /var/log/trace/stm.log

    <188>Apr 17 23:23:07 2016 172.21.11.36 sapd[4871]: <404068> <WARN> |AP MXXoom@172.X.X.X sapd|  AM 94:b4:0f:84:a9:a0: ARM Noise Threshold Trigger Current Channel 6 new_rra 11/6

    Device Stopped Sending Events (Firewall, IPS, VPN or Switch)

     



  • 2.  RE: Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed
    Best Answer

    Posted Apr 23, 2016 05:42 AM

    What kind of logs do you want?  AP messages are part of system messages, so there is no way to turn them off if you desire system messages.  The typical logging level is warnings.  Informational is much more verbose, and that could be why you are seeing so many messages.  Try a logging level of warnings on the system log to get less messages.



  • 3.  RE: Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

    Posted Apr 25, 2016 12:49 AM

    hi joseph

    Thanks for reply.

    We need controller related logs only. 

    As per your reply, its clear that we don't have an option to configure it


    @cjoseph wrote:

    What kind of logs do you want?  AP messages are part of system messages, so there is no way to turn them off if you desire system messages.  The typical logging level is warnings.  Informational is much more verbose, and that could be why you are seeing so many messages.  Try a logging level of warnings on the system log to get less messages.



    .

     



  • 4.  RE: Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

    Posted Mar 07, 2017 10:38 AM

    RK16,

    Did you ever get this to work properly?  We are in the beginning phase of implementing QRadar as well and are having the same problem where the AP's are coming through as log sources taking license seats.  I have a ticket opened with TAC but they are not sure why.



  • 5.  RE: Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

    Posted Mar 07, 2017 03:44 PM

    Please keep this thread going if you find a solution.  My security team is also interested in controller logs being sent to Qradar.  



  • 6.  RE: Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

    Posted Mar 17, 2017 05:18 PM

    I have my SE coming in next Wed to see if he can help with this issue.  I will update once we have finished.  Is anyone having any luck with QRadar?



  • 7.  RE: Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

    Posted Mar 22, 2017 03:51 PM

    WE FOUND A FIX!!!!  Our QRadar engineer informed us yesterday that IBM has issued a code release which increases the log source limit to 99 million.  He had to sit in on a training session in order to receive the file that would increase our log sources license to 99 million.  



  • 8.  RE: Need to configure Aruba Controller for syslogs to external server & ap logs need to suppressed

    Posted Mar 23, 2017 09:49 AM

    Here is the response from IBM/QRadar regarding the fix.

     

    We have faced similar issue where when we integrated Aruba Controller with QRadar all APs associated to the controller are detected as new log source in Qradar. We have leveraged IBM new announcement to have a work around for this problem.

     

    IBM recently announced that they are removing license cap from the log sources. You can email q1pd@us.ibm.com and ask them for new license by which your log sources limit will reach to whooping 99 million.

     

    So, if log source license reach to 99 million, we will not have to bother about few hundred or thousand APs.

     

    Note: You have to be on at least IBM Qradar version 7.2.8”