We are trying to configure Aruba Controller with IBM Qradar Syslog server and not able to suppress ap logs to the IBM Qradar Syslog server.
We need logs from the Mobility controller only not from all AP's.
config at wlc (Aruba Controller)
logging 192.168.X.X type network severity informational facility local7
logging 192.168.X.X type security severity informational facility local7
logging 192.168.X.X type system severity informational facility local7
AP logs received at IBM Qradar ( Syslog server)
<190>Apr 18 04:08:07 2016 172.21.11.58 stm: trace_on: tracing to "/var/log/trace/stm.log" started
<190>Apr 18 04:01:39 2016 172.21.11.58 stm: trace_rotate_file: rotating /var/log/trace/stm.log
<188>Apr 17 23:23:07 2016 172.21.11.36 sapd: <404068> <WARN> |AP MXXoom@172.X.X.X sapd| AM 94:b4:0f:84:a9:a0: ARM Noise Threshold Trigger Current Channel 6 new_rra 11/6
Device Stopped Sending Events (Firewall, IPS, VPN or Switch)
What kind of logs do you want? AP messages are part of system messages, so there is no way to turn them off if you desire system messages. The typical logging level is warnings. Informational is much more verbose, and that could be why you are seeing so many messages. Try a logging level of warnings on the system log to get less messages.
Thanks for reply.
We need controller related logs only.
As per your reply, its clear that we don't have an option to configure it
@cjoseph wrote:What kind of logs do you want? AP messages are part of system messages, so there is no way to turn them off if you desire system messages. The typical logging level is warnings. Informational is much more verbose, and that could be why you are seeing so many messages. Try a logging level of warnings on the system log to get less messages.
Did you ever get this to work properly? We are in the beginning phase of implementing QRadar as well and are having the same problem where the AP's are coming through as log sources taking license seats. I have a ticket opened with TAC but they are not sure why.
Please keep this thread going if you find a solution. My security team is also interested in controller logs being sent to Qradar.
I have my SE coming in next Wed to see if he can help with this issue. I will update once we have finished. Is anyone having any luck with QRadar?
WE FOUND A FIX!!!! Our QRadar engineer informed us yesterday that IBM has issued a code release which increases the log source limit to 99 million. He had to sit in on a training session in order to receive the file that would increase our log sources license to 99 million.
Here is the response from IBM/QRadar regarding the fix.
“We have faced similar issue where when we integrated Aruba Controller with QRadar all APs associated to the controller are detected as new log source in Qradar. We have leveraged IBM new announcement to have a work around for this problem.
IBM recently announced that they are removing license cap from the log sources. You can email firstname.lastname@example.org and ask them for new license by which your log sources limit will reach to whooping 99 million.
So, if log source license reach to 99 million, we will not have to bother about few hundred or thousand APs.
Note: You have to be on at least IBM Qradar version 7.2.8”
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.