Wireless Access

Contributor I

Understanding syslog format in AOS8

So I just grabbed a few random log lines my controller logged:



Sep  7 00:44:14 authmgr[2435]: <522125> <2435> <WARN> <wcp2>  Could not create/find bandwidth-contract for user, return code (-11).
Sep  7 00:47:09 authmgr[2435]: <522125> <2435> <WARN> <wcp2>  Could not create/find bandwidth-contract for user, return code (-11).
Sep  7 20:30:58 stm[2452]: <501080> <2452> <NOTI> <wcp2>  Deauth to sta: 88:63:df:ae:d3:83: Ageout AP STA has roamed to another AP
Sep  7 20:30:58 stm[2452]: <501100> <2452> <NOTI> <wcp2>  Assoc success @ 20:30:58.606562: 88:63:df:ae:d3:83: AP
Sep  7 19:59:50 <wce1> rsyncd[20421]: connect from wcp2 ( 
Sep  7 19:59:50 <wce1> rsyncd[20421]: rsync on rsync/ from wcp2 ( 

I see two different formats being logged and some ambiguous sections:


{date-time [year]} {Originating host} {daemon} {<PRI maybe?>} {<no clue>} {Severity} {hostname and IP?} {message}

Second: similar to the first but no <> fields and the daemon and hostname/ip fields are reversed.


My questions are:


1) Can anyone help decode the content of the <NUM> fields?

2) Why add the <hostname ip> field? it seems superfluous

3)Why the two formats?

4)Is anyone willing to share an rsyslog template that normalizes these log lines a bit more?





MVP Guru

Re: Understanding syslog format in AOS8

Have you found the Syslog message guide on the Support website for your version of ArubaOS?

(Edit: added link to the latest version is for 6.5.x, which appears close enough for the purpose)


In the following chapters, messages are defined in generic terms with variables.

Jan 23 16:26:51 sapd[148]: <404003> <WARN> |AP 00:0b:86:cb:85:db@ sapd| AM
00:0b:86:38:5d:b0: Interfering AP detected with SSID 06B408550367 and BSSID

In this case, the message elements are:

  •  <date and time stamp> = Jan 23 16:26:51<--timestamp showing when the message was created

  • <error location>: = sapd[148]: <--the specific module location where this syslog was generated

  • <error number> = <404003> <--a unique number within the set of messages generated by


  • <severity> = <WARN> <--Message severity level

  • |<process>| = |AP 00:0b:86:cb:85:db@ sapd| <--the AP MAC and IP addresses

  • message text = <--the remaining part of the message.

I see in my logs as well the process id returning later on (2435 and 2452).


Think you should be able to get started from here. I don't know about rsyslog templates, didn't even know that rsyslog allows normalization.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: