Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Logging RAPIDS events to a local file

This thread has been viewed 0 times

  • 1.  Logging RAPIDS events to a local file

    Posted Dec 13, 2012 12:06 AM

    Hi All,

     

    For the purposes of PCI compliance, I am attempting to log rogue access points that are detected via RAPIDS into a central log aggregation/reporting (Splunk) instance. I'm trying to determine where the received SNMP traps are logged to, but:

     

    /opt/airwave/sbin/snmptrapd -n -On -A -t ...

     

    The "-t" switch in the snmptrapd instance specifies not to write traps to Syslog

     

    ... -LF e /var/log/snmptrapd ...

     

    While this switch specifies to write SNMP messages to /var/log/snmptrapd, all I seem to be getting in here is:

     

    couldn't open udp:162 -- errno 98 ("Address already in use")

     

    Despite the AirWave GUI saying it has detected rogues???

     

    So the question...

     

    How can I get AirWave to log rogue/suspected rogues to a file &/or forward these events to a Syslog server?

     

    Thanks in advance :-)



  • 2.  RE: Logging RAPIDS events to a local file

    EMPLOYEE
    Posted Dec 13, 2012 04:53 PM

    You can try doing the following:

    # qlog enable snmp_traps

    This will output to /var/log/amp_diag/snmp_traps

     

    We typically don't run qlogs on a permanent basis, but if this is getting the information you need, then you can add it into the a custom post nightly script that would make sure this script is enabled.  The log files in the output directory should adhere to regular log rotation that the AMP has set for /var/log.  And then use another script to extract/download the log to a designated host to retain (at the same time, rename the file so that it doesn't overwrite past copies).



  • 3.  RE: Logging RAPIDS events to a local file

    Posted Dec 13, 2012 06:07 PM

    Thans Rob,

     

    Unfortunately this appear to be more diagnostics than actual traps being received. Plugging in a rogue AP in the network is detected in the AirWave GUI, but is only reflected in /var/log/amp_diag/snmp_traps as:

     

    [...repeat...]

    1355439785.563854 1715 handle_trap|class=Mercury::AP:: Dell:: Swarm
    1355439785.564499 1715 explicit_drop|reason=no_dispatch_entry
    1355439785.565197 1715 handle_trap|class=Mercury::AP:: Dell:: Swarm

    [...repeat...]

     

    I am currently configuring up a seperate server with a snmptrapd instance to add as an NMS target, but was hoping to handle this locally. If you think of anything else that would help, it would be greatly appreciated.

     

    Regards,

     

    RT from O2



  • 4.  RE: Logging RAPIDS events to a local file
    Best Answer

    EMPLOYEE
    Posted Dec 13, 2012 06:21 PM

    The only other thing I can think of would be to use the Daily New Rogue Devices Report and have it emailed externally.  This could be sent to an email address or maintained on the AMP (just be aware of the report age out setting on AMP Setup -> Historical Data Retention).



  • 5.  RE: Logging RAPIDS events to a local file
    Best Answer

    Posted Dec 19, 2012 08:02 PM

    Thanks for your help Rob,

     

    The way we ended up approaching this was through setting up the appropriate triggers and monitoring the amp_events log file.

     

    Thanks again for your help :-)