ArubaOS and Controllers

Occasional Contributor II

tracking policy violations without looking at security logs

We have 2 SSIDs. 1 is WPA and has full access to our network but is also behind a NAC appliance, so users are scanned for antivirus, antispyware, critical updates etc. The other SSID is OPEN but the policy on that role is we only allow port 80 traffic. We can usually tell if someone is on the open network and has a virus since there are around 20-30 hits a second all to different IPs and ports. We blacklist these clients even though the policy blocks the traffic. They have to come to the helpdesk and manually get scanned in order for us to unblacklist them.
My question is: Is there an easier way to track this besides logging into the controller and looking at the security logs or forwarding the messages onto a syslog server to create snmp traps to forward to an SNMP server for threshold alerts? Of course there will always be around 2-3 violations a second from each controller for normal people who just try and use email or something, but we are specifically looking for those clients who are producing 20-30/second violations, which typically means they have a virus. Example:
Dec 3 10:44:44 :124006: |authmgr| {6300132} UDP srcport=64982 dstport=5355, action=deny, role=open-valid, policy=Drop-And-Log
It would be nice if there were some kind of MIB to show number of firewall hits so I can go into the controller and look at the mac address of the violating client.