Wireless Access

So I just grabbed a few random log lines my controller logged:

Sep  7 00:44:14 192.168.8.152 authmgr[2435]: <522125> <2435> <WARN> <wcp2 192.168.8.152>  Could not create/find bandwidth-contract for user, return code (-11).
Sep  7 00:47:09 192.168.8.152 authmgr[2435]: <522125> <2435> <WARN> <wcp2 192.168.8.152>  Could not create/find bandwidth-contract for user, return code (-11).
Sep  7 20:30:58 192.168.8.152 stm[2452]: <501080> <2452> <NOTI> <wcp2 192.168.8.152>  Deauth to sta: 88:63:df:ae:d3:83: Ageout AP 192.168.13.160-94:b4:0f:eb:73:31-ewfmb-rm180 STA has roamed to another AP
Sep  7 20:30:58 192.168.8.152 stm[2452]: <501100> <2452> <NOTI> <wcp2 192.168.8.152>  Assoc success @ 20:30:58.606562: 88:63:df:ae:d3:83: AP 192.168.13.115-20:a6:cd:c5:7c:71-ewfmb-rm183-test
Sep  7 19:59:50 192.168.8.129 <wce1 192.168.8.129> rsyncd[20421]: connect from wcp2 (192.168.8.152) 
Sep  7 19:59:50 192.168.8.129 <wce1 192.168.8.129> rsyncd[20421]: rsync on rsync/ from wcp2 (192.168.8.152) 

I see two different formats being logged and some ambiguous sections:

First:

{date-time [year]} {Originating host} {daemon} {<PRI maybe?>} {<no clue>} {Severity} {hostname and IP?} {message}

Second: similar to the first but no <> fields and the daemon and hostname/ip fields are reversed.

My questions are:

1) Can anyone help decode the content of the <NUM> fields?

2) Why add the <hostname ip> field? it seems superfluous

3)Why the two formats?

4)Is anyone willing to share an rsyslog template that normalizes these log lines a bit more?

Have you found the Syslog message guide on the Support website for your version of ArubaOS?

(Edit: added link to the latest version is for 6.5.x, which appears close enough for the purpose)

Jan 23 16:26:51 sapd[148]: <404003> <WARN> |AP 00:0b:86:cb:85:db@10.34.84.14 sapd| AM
00:0b:86:38:5d:b0: Interfering AP detected with SSID 06B408550367 and BSSID
00:12:0e:44:d4:2c