Wireless Access

About a month ago we upgraded to 6.3.1.9 on our Aruba 3600 controllers.  Since that time the syslog messages have included the year after the month day and time.  Previously the syslogs were boken up by ip (or hostname)/year/month/day and then a log file for every hour.  (Full disclosure: this was not my doing but the person before me in this role).  The result is that all the logs from the controllers and ap's go to a folder (hostname) called "2014" so the path is now 2014/2014/09/22  has anyone else run into this problem?  Have any creative ways to solve this?  Eventually I would like to just dump everyting to Splunk but until we by it this is what I have.

Fixing this is an open feature request here:

https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08740000000LFfoAAG

...you may want to vote it up.

We looked into how to teach rsyslog to deal with this unusual date format, but

it looked like we would have to create our own parser and compile rsyslog from source

in order to do that, or do a prohibitively clever set of variable manipulations in the

config file to reshuffle everything.

The date they are sending now is not complaint with newer syslog date formats that do include the year, nor is is compliant with the older standard which explicitly says not to do the exact thing that that Aruba did here:

"

 It has been seen
   that some original syslog messages contain a more explicit time stamp
   in which a 2 character or 4 character year field immediately follows
   the space terminating the TIMESTAMP.  This is not consistent with the
   original intent of the order and format of the fields.  If
   implementers wish to contain a more specific date and time stamp
   within the transmitted message, it should be within the CONTENT
   field.  Implementers may wish to utilize the ISO 8601 [7] date and
   time formats if they want to include more explicit date and time
   information."