It appears that there are two different types of log information generated by the WLC-5508. The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap. Does anyone have this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?
Have you tried to change the logging level on the wlc? There are multiple levels of logging that can be set on the wlc. On the wlc GUI, you can check the current logging level by navigating to this page - Management > Logs > Config > Syslog Server. Under the "Syslog Server", you can change the level of logging.
If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. Note that setting a higher logging level on the wlc might result in more logs sent to the syslog server.
Thank you for the reply. I'm very familiar with logging levels. The fact is that the WLC provides very little security relevant information via syslog. Most is sent via SNMP trap. I'll be using SNMP traps for this.
Did you get what you wanted out of SNMP for the logging information? I'm trying to work with my (reluctant) network admin to send WLC logs to my SIEM device, but all I'm seeing is unimportant, mostly non-security related logs. I don't even get a log when users attach to wireless or any other useful kinds of info. (logging level is set to 6).
Just looking for some suggestions.
Syslog doesn't give much. All of the auth/deauth messages, etc. are sent via SNMP trap. Here are some OID's that can be useful.
184.108.40.206.4.1.14220.127.116.11.70 Signature attack - Deauth Flood
18.104.22.168.4.1.1422.214.171.124.55 Potential denial of service attack
126.96.36.199.4.1.14188.8.131.52.42 Radios exceed license count
184.108.40.206.4.1.14220.127.116.11.44 Sensed temperature too high
18.104.22.168.4.1.1422.214.171.124.47 POE controller failure
126.96.36.199.4.1.14188.8.131.52.56 Too many unsuccessful login attempts
184.108.40.206.4.1.14220.127.116.11.59 Rogue AP detected on wired network
I think syslog will catch things like:
Web authentication failure for station
Login failed for the user:
Authentication failed for network user