https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225552#M7194 <HTML><HEAD></HEAD><BODY><P>If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog servers.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 05 May 2013 13:37:57 GMT Scott Fella 2013-05-05T13:37:57Z https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225549#M7191 <P>I'm from the sec team, and the company in which i work in is using Wireless Control System Plus with MSE (mobility security engine).</P><P></P><P>Now using syslog I'm interested in detecting rogue access points, What source should i enable syslog either controller or mse? I want to brng that logs to SIEM for higher correlation. I'm still confused.</P><P></P><P>We are using cisco aironet 3500 series .</P><P>Lan controller 5500</P><P>MSE 3300 series </P><P>WCS v 5.0</P> Sun, 04 Jul 2021 07:01:41 GMT https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225549#M7191 asad ali 2021-07-04T07:01:41Z https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225550#M7192 <HTML><HEAD></HEAD><BODY><P>Well first off, the MSE is a Mobility Services Engine not a security engine. You also have to make sure you have the correct code versions on your WLC, WCS and MSE. The WCS version is very old and the rule of thumb is to have the WCS and MSE an equal or higher version than the WLC. The WLC only supports the WLC on v7.0.x. You might have to upgrade your WCS to Prime infrastructure. Please refer to the compatibility matrix below.<BR /><BR /><A href="http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html" target="_blank">http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html</A><BR /><BR />Rogue detection can come from the WLC, but it might be unusable if you have many rogue AP's being detected especially if your in a downtown building for example.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 05 May 2013 13:26:01 GMT https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225550#M7192 Scott Fella 2013-05-05T13:26:01Z https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225551#M7193 <HTML><HEAD></HEAD><BODY><P>Thank you for your respons.</P><P>I was seeing the syslog options In the facility drop down menu , there was list of options (kernel,mail,cron) by defualt its set to local use 0. Does this level mean that it caters for all the levels that are less or equal then its.</P><P></P><P>E.g</P><P style="margin-top: px; margin-bottom: px; line-height: normal;"><STRONG>Kernel</STRONG> = Facility level 0 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>User Process</STRONG> = Facility level 1 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>Mail</STRONG> = Facility level 2 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>System Daemons</STRONG> = Facility level 3 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>Authorization</STRONG> = Facility level 4 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>Syslog</STRONG> = Facility level 5 (default value) </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>Line Printer</STRONG> = Facility level 6 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>USENET</STRONG> = Facility level 7 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>Unix-to-Unix Cop</STRONG>y = Facility level 8 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>Cron</STRONG> = Facility level 9 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>FTP Daemon</STRONG> = Facility level 11 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>System Use 1</STRONG> = Facility level 12 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>System Use 2</STRONG> = Facility level 13 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>System Use 3</STRONG> = Facility level 14 </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">•<STRONG>System Use 4</STRONG> = Facility level 15 </P></BODY></HTML> Sun, 05 May 2013 13:33:29 GMT https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225551#M7193 asad ali 2013-05-05T13:33:29Z https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225552#M7194 <HTML><HEAD></HEAD><BODY><P>If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog servers.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 05 May 2013 13:37:57 GMT https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225552#M7194 Scott Fella 2013-05-05T13:37:57Z https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225553#M7195 <HTML><HEAD></HEAD><BODY><P>That i understand, but what i don't understand is the faciliy levels? how are they define and set.</P></BODY></HTML> Sun, 05 May 2013 13:44:45 GMT https://community.cisco.com/t5/wireless/integerating-mse-wlc-into-siem/m-p/2225553#M7195 asad ali 2013-05-05T13:44:45Z