Controllerless Networks

Hi,

I have an IAP-215 (version 6.4.4.8-4.2.4.6_58505) network sending logs to a Graylog server.

Its working fine but the source ID of the logs sent from the IAPs to the Graylog is set to "1970".

How can i change this ID ? I would like it to match my virtual controller name for example.

And why is this ID set to 1970 by default ?

Thanks,

Medjaÿ.

Please print an example.  That almost seems that the Iap did not get the time via NTP.

You will find attached an example of the messages received on the Graylog.

There is no NTP configured on the IAPs !

Could the default date of the IAP be something in year 1970 and the year is used as the ID ?

Thanks for your reply.

I suspect it due to be the IAP probably being based on Unix, the Unix epoch is midnight on January 1, 1970.

Try adding  NTP server first.

#ntp-server [NTP SERVER IP]

I just added the NTP server, now the logs source ID is 2018 (you'll find an example attached).

As you suggested, it seems that the source ID is the year of date in the IAPs.

Is it possible to manually set this ID value ? I would like it to be the name of the Virtual Controller.

Have you tried a later firmware version? I am running 6.4.4.8-4.2.4.10 and my logs appear to be correctly formatted.

Feb 22 15:59:17 stm[1712]: <501199> <NOTI> |AP Instant-105@192.168.1.7 stm| User authenticated, mac-xx-xx-xx-xx, username-android12331242414, IP-192.168.1.11, method-Unknown auth type, role-wlan

Is the time/date correctly set?

Instant-105# show clock
Current Time     :2018-02-22 16:02:02

Unfortunately this is a client network so I can't launch a firmware update right now.

At least you solved the 1970 mystery !

I will update the firmware asap and let you know if that works.

Thank you for your time,

Medjaÿ.

Disclaimer: I'm not a Graylog expert.

To me, it looks like the Graylog extractor needs to be fixed, not the Instant AP.

After some reading, Graylog appears to work with 'extractors' that map fields in the log file to fields that the system can work with like date, source IP, etc. You should have an extractor specific for Aruba Instant, which I could not find in 3 minutes searching.

As suggested, it is possible to work with extractors and pipeline to create the desired log message.

Here is the link to the post I created on the Graylog community website :

https://community.graylog.org/t/wrong-source-id-for-aruba-iap-215-logs/4359/3 there you will find links to the documentations about extractors and pipelines.

Thank everybody for your time !

Bye.

---

@Medjaÿ wrote:

I just added the NTP server, now the logs source ID is 2018 (you'll find an example attached).

As you suggested, it seems that the source ID is the year of date in the IAPs.

Is it possible to manually set this ID value ? I would like it to be the name of the Virtual Controller.

---

That is because the syslog coming from an Aruba Controller and an Instant AP includes the year as a field.  Your syslog server is treating that field as a hostname.  Unfortunately, there is no way configuration-wise to change that.  You can request that this be changed here:  https://innovate.arubanetworks.com/