https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809547#M8201 <HTML><HEAD></HEAD><BODY><P>Syslog doesn't give much.&nbsp; All of the auth/deauth messages, etc. are sent via SNMP trap.&nbsp; Here are some OID's that can be useful.</P><P></P><P>1.3.6.1.4.1.14179.2.6.3.70&nbsp; Signature attack - Deauth Flood</P><P>1.3.6.1.4.1.14179.2.6.3.55&nbsp; Potential denial of service attack</P><P>1.3.6.1.4.1.14179.2.6.3.42 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Radios exceed license count</P><P>1.3.6.1.4.1.14179.2.6.3.44&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Sensed temperature too high</P><P>1.3.6.1.4.1.14179.2.6.3.47&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;POE controller failure</P><P>1.3.6.1.4.1.14179.2.6.3.56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Too many unsuccessful login attempts</P><P>1.3.6.1.4.1.14179.2.6.3.59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Rogue AP detected on wired network</P><P></P><P>I think syslog will catch things like:</P><P></P><P>Web authentication failure for station</P><P>Login failed for the user:</P><P>Authentication failed for network user</P></BODY></HTML> Thu, 01 Mar 2012 20:06:48 GMT MikeM-2468 2012-03-01T20:06:48Z https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809543#M8197 <P>It appears that there are two different types of log information generated by the WLC-5508.&nbsp; The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap.&nbsp; Does anyone have this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?</P> Sun, 04 Jul 2021 04:10:29 GMT https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809543#M8197 MikeM-2468 2021-07-04T04:10:29Z https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809544#M8198 <HTML><HEAD></HEAD><BODY><P>Mike,</P><P></P><P>Have you tried to change the logging level on the wlc? There are multiple levels of logging that can be set on the wlc. On the wlc GUI, you can check the current logging level by navigating to this page - Management &gt; Logs &gt; Config &gt; Syslog Server. Under the "Syslog Server", you can change the level of logging.　</P><P></P><P align="left"><SPAN style="font-size: 10pt;">If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. Note that setting a higher logging level on the wlc might result in more logs sent to the syslog server. </SPAN></P><P align="left"><SPAN style="font-size: 10pt;"> </SPAN></P><P align="left"><SPAN style="font-size: 10pt;">Regards,</SPAN></P><P align="left"><SPAN style="font-size: 10pt;"> </SPAN></P><P align="left"><SPAN style="font-size: 10pt;">Nagendra</SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P></BODY></HTML> Tue, 13 Dec 2011 06:46:35 GMT https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809544#M8198 naks 2011-12-13T06:46:35Z https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809545#M8199 <HTML><HEAD></HEAD><BODY><P>Thank you for the reply.&nbsp; I'm very familiar with logging levels.&nbsp; The fact is that the WLC provides very little security relevant information via syslog.&nbsp; Most is sent via SNMP trap.&nbsp; I'll be using SNMP traps for this.</P></BODY></HTML> Tue, 13 Dec 2011 12:12:43 GMT https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809545#M8199 MikeM-2468 2011-12-13T12:12:43Z https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809546#M8200 <HTML><HEAD></HEAD><BODY><P> Mike,</P><P></P><P>Did you get what you wanted out of SNMP for the logging information?&nbsp; I'm trying to work with my (reluctant) network admin to send WLC logs to my SIEM device, but all I'm seeing is unimportant, mostly non-security related logs.&nbsp; I don't even get a log when users attach to wireless or any other useful kinds of info.&nbsp; (logging level is set to 6).</P><P></P><P>Just looking for some suggestions.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 01 Mar 2012 19:48:16 GMT https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809546#M8200 jaymartin 2012-03-01T19:48:16Z https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809547#M8201 <HTML><HEAD></HEAD><BODY><P>Syslog doesn't give much.&nbsp; All of the auth/deauth messages, etc. are sent via SNMP trap.&nbsp; Here are some OID's that can be useful.</P><P></P><P>1.3.6.1.4.1.14179.2.6.3.70&nbsp; Signature attack - Deauth Flood</P><P>1.3.6.1.4.1.14179.2.6.3.55&nbsp; Potential denial of service attack</P><P>1.3.6.1.4.1.14179.2.6.3.42 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Radios exceed license count</P><P>1.3.6.1.4.1.14179.2.6.3.44&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Sensed temperature too high</P><P>1.3.6.1.4.1.14179.2.6.3.47&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;POE controller failure</P><P>1.3.6.1.4.1.14179.2.6.3.56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Too many unsuccessful login attempts</P><P>1.3.6.1.4.1.14179.2.6.3.59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Rogue AP detected on wired network</P><P></P><P>I think syslog will catch things like:</P><P></P><P>Web authentication failure for station</P><P>Login failed for the user:</P><P>Authentication failed for network user</P></BODY></HTML> Thu, 01 Mar 2012 20:06:48 GMT https://community.cisco.com/t5/wireless/wlc-5508-logging-to-syslog/m-p/1809547#M8201 MikeM-2468 2012-03-01T20:06:48Z