Wireless Access

Reply
Contributor I

Understanding syslog format in AOS8

So I just grabbed a few random log lines my controller logged:

 

 

Sep  7 00:44:14 192.168.8.152 authmgr[2435]: <522125> <2435> <WARN> <wcp2 192.168.8.152>  Could not create/find bandwidth-contract for user, return code (-11).
Sep  7 00:47:09 192.168.8.152 authmgr[2435]: <522125> <2435> <WARN> <wcp2 192.168.8.152>  Could not create/find bandwidth-contract for user, return code (-11).
Sep  7 20:30:58 192.168.8.152 stm[2452]: <501080> <2452> <NOTI> <wcp2 192.168.8.152>  Deauth to sta: 88:63:df:ae:d3:83: Ageout AP 192.168.13.160-94:b4:0f:eb:73:31-ewfmb-rm180 STA has roamed to another AP
Sep  7 20:30:58 192.168.8.152 stm[2452]: <501100> <2452> <NOTI> <wcp2 192.168.8.152>  Assoc success @ 20:30:58.606562: 88:63:df:ae:d3:83: AP 192.168.13.115-20:a6:cd:c5:7c:71-ewfmb-rm183-test
Sep  7 19:59:50 192.168.8.129 <wce1 192.168.8.129> rsyncd[20421]: connect from wcp2 (192.168.8.152) 
Sep  7 19:59:50 192.168.8.129 <wce1 192.168.8.129> rsyncd[20421]: rsync on rsync/ from wcp2 (192.168.8.152) 

I see two different formats being logged and some ambiguous sections:

First:

{date-time [year]} {Originating host} {daemon} {<PRI maybe?>} {<no clue>} {Severity} {hostname and IP?} {message}

Second: similar to the first but no <> fields and the daemon and hostname/ip fields are reversed.

 

My questions are:

 

1) Can anyone help decode the content of the <NUM> fields?

2) Why add the <hostname ip> field? it seems superfluous

3)Why the two formats?

4)Is anyone willing to share an rsyslog template that normalizes these log lines a bit more?

 

 

 

 

MVP Guru

Re: Understanding syslog format in AOS8

Have you found the Syslog message guide on the Support website for your version of ArubaOS?

(Edit: added link to the latest version is for 6.5.x, which appears close enough for the purpose)

 

In the following chapters, messages are defined in generic terms with variables.

Jan 23 16:26:51 sapd[148]: <404003> <WARN> |AP 00:0b:86:cb:85:db@10.34.84.14 sapd| AM
00:0b:86:38:5d:b0: Interfering AP detected with SSID 06B408550367 and BSSID
00:12:0e:44:d4:2c

In this case, the message elements are:

  •  <date and time stamp> = Jan 23 16:26:51<--timestamp showing when the message was created

  • <error location>: = sapd[148]: <--the specific module location where this syslog was generated

  • <error number> = <404003> <--a unique number within the set of messages generated by

    ArubaOS

  • <severity> = <WARN> <--Message severity level

  • |<process>| = |AP 00:0b:86:cb:85:db@10.34.84.14 sapd| <--the AP MAC and IP addresses

  • message text = <--the remaining part of the message.

I see in my logs as well the process id returning later on (2435 and 2452).

 

Think you should be able to get started from here. I don't know about rsyslog templates, didn't even know that rsyslog allows normalization.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: