Network Management

In reveiwing the User Guide for AirWave 8.2 it specifically states "RAPIDS can be configured to alert administrators via email, SNMP traps, or syslog messages after a threat is identified" yet I can not seem to find where this is configurable. Within the system triggers email and snmp can be configured but not syslog.

 

Anyone have any ideas?

http://www.arubanetworks.com/techdocs/AirWave_8_0_Web_Help/UserGuide.htm#AWUserGuide/Chapter2_Config/setup_external_logging.htm?Highlight=syslog

This is for infrastructure event logs (device up/down) and audit logs (administrative changes) but I didn't think is also include RAPIDS events.

I'm looking for the same info as AirWave aggregates the RAPIDS events for a large deployment that I'm involved in.

Works mostly like in cjoseph's link:

System > Triggers > Add

Choose type - look for IDS Events section

 

Here's a screenshot of my Rogue Device Detected alert - it sends me an email and a trap to syslog (which aggregates it in our SIEM)

Within your trigger setup you are having AirWave send Alert notifications to an NMS and you are selecting your NMS server but when you configure the NMS your only options are snmp there is no option for syslog. Am I missing something?

 

"AMP can send SNMPv1, SNMPv2 traps or SNMPv3 in forms to NMS servers."

You're correct, I got confused.

We send SNMP trap to NMS - a very good example of the wrong thing. Sorry.

For syslog, we pipe all Airwave syslog to our central syslog server and pares the RAPIDS events there.

I fully understand that AirWave is capable to send data to a SIEM.

 

My problem is there is no granularity in what we send to the SIEM. Having too much information is sometime worst than than having none.

 

To aleviate the problem, I've add another SNMP server, which acts as a "proxy" where I filter out the unwanted stuff. This being said, I wish AirWave could make this on its own.