Wireless Access

Hi,

 

I use graylog to receive logs of all my equipment but i don't know how can i configure sylog service on aruba to send log on my graylog server.

I use the CLI interface

Please help me !

 

Regards

That looks like it is sending syslog to 10.10.1.235

precisely not.

I don't receive anything and i don't know why

What logging level do you have configured?  Configuring logging is detailed here:  https://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/Configuring_Logging.htm?Highlight=syslog

my configuration

The syslog facility on your syslog server needs to match what is on the controller to see any messages.  Please look at the link I posted to see if anything applies to your setup.

i put informationnal level for few category

but stille nothing

 

Configuration of syslog service is correct ? 

 

The default syslog port is 514.  Why do you have 5141 configured?

why ?, i can't use this port ?

 

On my graylog server, port is listen

# netstat -an | grep 5141
udp6 0 0 :::5141 :::*

You can use that port.

You just have to make sure your syslog is listening on the same facility that you have configured on the controller.

Changing the svc-syslog netdest doesnt magically make the controller start to use port 5141 for syslog, in fact you need to put that back to udp/514. AFAIK the controller logging directives won't let you change the dest port. If you need to remap it you can add a dst-nat rule in an ACL on the outbound port, or, use iptables input rule on the graylog machine to map 514 into 5141 for the controller source ip (presuming it's linux based)

 

Additionally, you may find that the syslog is actually going where you expect, just to the wrong port - use wireshark on the graylog machine to check. Also, don't forget that the controller will send various patterns of log messages, all of which are non RFC 3164 conformant which may cause them not to be picked up by graylog by default. There is an option in later s/w versions to change the log format to 3164 compliant, but if you're on a 6xx it may be too old, you can check the docs about it.

 

 

I changed to 514 port but i still have nothing.

Port 514 is up on my graylog server because i receive log from other equipment (firewall, etc...)

i had to use iptables to redirecte port 514 on port 1514 on my graylog server.

It's work for firewall and switch equipment but nothing for Aruba wifi controler

 

you should do a packet capture with wireshark to see if any udp/514 is coming from the controller.

when i do a tcpdump, i receive log from aruba so i thing my problem is elsewhere