Wireless Access

Hi community,

I have to configure my Aruba solution to send syslogs to customer's SIEM. Which devices send syslogs to SIEM or syslog servers? MMs? MCs? Both? I need to know this in order to know in which hierarchy to make the syslog configuration. Thanks in advance.

Regards,

Julián

Any device (mm, mc) can be configured to send it's logs to a syslog (or siem) server. Each type of device will concern itself with different things, obviously MMs are not aware of users etc. Can you be more specific what it is that you're trying to clarify here ?

Hi,

Basically I have to configure my Aruba solution to send Security, System and User syslogs to customer' SIEM, and I don't know if these syslogs are generated from MMs or MCs. According to the user guide I have to configure only MDs:

But you say MMs can also send syslogs, then I have to make the syslog configuration under Managed Network node hierarchy and also under Mobility Master node hierarchy. Is that right?

Regards,

Julián

yes that's correct - same as you would have to do for, say, NTP servers.

Hi jgoff,

One more doubt about this. Right know I have two AirWave servers receiving syslogs from warning severity:

I have to add the SIEM server and send to it syslogs with all severities within categories Security, System and User. How can I do it? When adding the new syslog server, I will select logging level debugging, since it is the least critical severity and then I will send syslogs from Emergency to Debug severities (i. e. all severities). But when adding the new syslog server I can only select one category, and not three as I need, as show below:

Then, how can I achieve my customer's requirements?

Regards,

Julián

the logging setup will determine what gets logged into the controllers logs, and is thus made eligible for sending to syslog

the syslog level is the 'filter' that chooses from what the controller is logging

e.g.

if 'user' logging is set to level info, and syslog is set to level debugging, then you get all info logs from 'user'

if 'user' logging is set to level debugging and syslog is set to level 'warning', then none of the "debug" or "info" logs will be sent to syslog, but they will still be logged in the controller logs

Likely what you want is that the syslog severity is set to debugging, and then you control what goes in by selection the correct "logging" setup. Note that if you try to set logging level 'debugging' on multiple categories (e.g. system, security, user) you will cause high CPU (or system instability). Therefore you should exercise caution if plan to collect logging level 'debugging' all of the time and try to narrow it down using subcat and process masks.

said another way - it's usually not advisable to turn on debugging and try to collect everything - you should establish the things you are looking to collect (say for example you want to keep info about IP to mac address mapping and associations) and then try to find that information in "info" level logs first and try to avoid the urge to enable "debugging" (especially in system and security categories)

Hi jgoff,

Very good explanation, got it about debug logs and high CPU. I will try to narrow it. Please you help with this:

1. When you say "the syslog level is the 'filter' that chooses from what the controller is logging", do you mean the logging level within the syslog server? Or within the below logging levels section?
2. By the other hand, if I want to send Security, System and User categories logs, I think I will have to create the new SIEM server and select category Security, create the same new server (same IP address) and select category System, and create the same new server (same IP address again) and select User category. Am I right?

Regards,

Julián

When you say "the syslog level is the 'filter' that chooses from what the controller is logging", do you mean the logging level within the syslog server? Or within the below logging levels section

[jg] they are the same, i don't quite follow your question though. log level applied to a syslog server is a _filter_ only, that limits what will be sent from the pile of logs that are generated by whatever logging you have enabled. If the syslog level is set high (say critical) then there will be no syslog for anything lower than critical, despite whether there are info, notification, debugging level logs being generated by 'logging' config.

create the same new server (same IP address) and select category System, and create the same new server (same IP address again) and select User category. Am I right

[jg]  You can leave category as its default of 'none' which will act as a wildcard and send all categories. No need to create one for each.

Hi jgoff,

[jg]  You can leave category as its default of 'none' which will act as a wildcard and send all categories. No need to create one for each.

But that's not an option because customer doesn't want to send all categories to SIEM, only three of them. Then, taking into account that I think the only option is to create three syslog servers with the same IP and select one category on each (security, system and user). Maybe this will be more clear to me with an example. Let's say I want to send security and user syslogs from severity notice, to one syslog server, will this be the configuration?

#logging 1.1.1.1 type security severity notifications

#logging 1.1.1.1 type user severity notifications

Is that right?

Regards,

Julián

yes that config looks OK

You're likely to find that you're going to have to filter a lot of junk messages out anyways (unfortunately the logs have many such messages, especially if you head down to info and debugging levels), so finding a way to drop low info/noisy messages is going to be a requirement (and thus it would serve to drop unwanted message categories if you had used the wildcard category - in the end it's the same thing)

Hi jgoff,

I've worked along with customer to narrow the severities for syslogs I am going to configure. Finally I am going to send syslogs from severity Warning (and below) for Security and System categories. For User category customer wants to receive syslogs from severity Informational (and below). That means to receive informational, notice, warning and below severities for User syslogs. Do you think this will cause high CPU or system instability?

Many thanks for your interest,

Julián

you should be ok for the proposed logging setup - I'm not too concerned with it. Setting log user to level info is voluminous but I've not see it cause problems before, so I'd say proceed with it.

Hi jgoff,

OK, many thanks for your opinion

Regards,

Julián