Network Management

Hi,

     I want to log some syslog data in Airwave from Firewall. When I configured the syslog on the firewall, too many logs are coming to Airwave. So If I logs in Airwave all this syslog data from firewall disc capacity will not enough in a few days. If I change the syslog severity in firewall to up level (from information to notification) the logs are not coming such I want. Is it possible to filter for incoming syslog data with the words in Airwave with device base? 

Thanks in advace.

Yes.  This is possible.  You can search on the message context in the event viewer but more effectively, you can setup triggers to email or alert based on conditions you yourself set in Airwave.  

Here is an example

 

Hi Seth,
Thanks for your reply. I think that for using this trigger the syslog data can be come to the airwave. But too much waste data is coming to airwave and consume the disc quickly. Due to this I don't want to save all syslog data coming from firewall. Is there a way for filtering while coming syslog data before saving in airwave?

No..there is no way to filter that out after it’s received in Airwave…however, syslog doesn’t consume a ton of space

When I activated syslog proper least severity coming about 2k log in a minute despite I close other futures.

Is there a specific message that you are looking for?  It is probably better to setup the controller to send the SNMP trap equivalent for what you are looking for to Airwave and to send syslog to another device, if you are getting so many syslog messages.   https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14097

 

If you know what specific message and severity you are looking for, you can send only syslog for that severity for the specific train of messages you are looking for.  For example, if the message you are receiving is only in "system" and is "informational", you can do this:

 

config t

logging 192.168.1.3 type system severity informational

 

If you must send syslog to  Airwave you can also limit the days of stored device events by changing the data retention number:

 

Hi Colin,

Thank you for your detailed explanation. I tried this way. Source device is Fortigate firewall. I configured snmp trap with all section in Fortigate.

 

 But all I can see that logs in Airwave at below.

 

 

 

That looks like fortigate's screen for just SNMP Traps.  Is there a screen for syslog?  Airwave does not have Forgtigate's MIB to interpret those traps, so it probably does not make sense to send any traps to Airwave, because they will not be interpreted correctly.  See if you can find the syslog configuration screen.

When I set Syslog severity inf. like below usefull logs coming but too many unnecessary logs coming as dhcp logs for 1k users.

 

 

 

 

 

 

Did you try a severity of "warnings" ?

 

Yes I tried. But didn't get. Only I can get in information of severity. Have something to be done in Airwave  ?