Controllerless Networks

Reply
Occasional Contributor I

Source ID Logs IAP 215

Hi,

I have an IAP-215 (version 6.4.4.8-4.2.4.6_58505) network sending logs to a Graylog server.

Its working fine but the source ID of the logs sent from the IAPs to the Graylog is set to "1970".

How can i change this ID ? I would like it to match my virtual controller name for example.

And why is this ID set to 1970 by default ?

Thanks,

Medjaÿ.

Guru Elite

Re: Source ID Logs IAP 215

Please print an example.  That almost seems that the Iap did not get the time via NTP.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: Source ID Logs IAP 215

You will find attached an example of the messages received on the Graylog.

There is no NTP configured on the IAPs !

Could the default date of the IAP be something in year 1970 and the year is used as the ID ?

Thanks for your reply.

Re: Source ID Logs IAP 215

I suspect it due to be the IAP probably being based on Unix, the Unix epoch is midnight on January 1, 1970.


Try adding  NTP server first.

 

#ntp-server [NTP SERVER IP]

 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor I

Re: Source ID Logs IAP 215

I just added the NTP server, now the logs source ID is 2018 (you'll find an example attached).

As you suggested, it seems that the source ID is the year of date in the IAPs.

Is it possible to manually set this ID value ? I would like it to be the name of the Virtual Controller.

Re: Source ID Logs IAP 215

Have you tried a later firmware version? I am running 6.4.4.8-4.2.4.10 and my logs appear to be correctly formatted.

 

Feb 22 15:59:17 stm[1712]: <501199> <NOTI> |AP Instant-105@192.168.1.7 stm| User authenticated, mac-xx-xx-xx-xx, username-android12331242414, IP-192.168.1.11, method-Unknown auth type, role-wlan

Is the time/date correctly set?

 

Instant-105# show clock
Current Time     :2018-02-22 16:02:02

ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Guru Elite

Re: Source ID Logs IAP 215


@Medjaÿ wrote:

I just added the NTP server, now the logs source ID is 2018 (you'll find an example attached).

As you suggested, it seems that the source ID is the year of date in the IAPs.

Is it possible to manually set this ID value ? I would like it to be the name of the Virtual Controller.


That is because the syslog coming from an Aruba Controller and an Instant AP includes the year as a field.  Your syslog server is treating that field as a hostname.  Unfortunately, there is no way configuration-wise to change that.  You can request that this be changed here:  https://innovate.arubanetworks.com/


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: Source ID Logs IAP 215

Unfortunately this is a client network so I can't launch a firmware update right now.

At least you solved the 1970 mystery !

I will update the firmware asap and let you know if that works.

Thank you for your time,

Medjaÿ.

Re: Source ID Logs IAP 215

Disclaimer: I'm not a Graylog expert.

 

To me, it looks like the Graylog extractor needs to be fixed, not the Instant AP.

 

After some reading, Graylog appears to work with 'extractors' that map fields in the log file to fields that the system can work with like date, source IP, etc. You should have an extractor specific for Aruba Instant, which I could not find in 3 minutes searching.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: Source ID Logs IAP 215

As suggested, it is possible to work with extractors and pipeline to create the desired log message.

Here is the link to the post I created on the Graylog community website :

https://community.graylog.org/t/wrong-source-id-for-aruba-iap-215-logs/4359/3 there you will find links to the documentations about extractors and pipelines.

Thank everybody for your time !

Bye.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: