cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
13924
Views
0
Helpful
4
Replies
Highlighted
Beginner

WLC-5508 logging to syslog

It appears that there are two different types of log information generated by the WLC-5508.  The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap.  Does anyone have this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?

Everyone's tags (3)
4 REPLIES 4
Beginner

WLC-5508 logging to syslog

Mike,

Have you tried to change the logging level on the wlc? There are multiple levels of logging that can be set on the wlc. On the wlc GUI, you can check the current logging level by navigating to this page - Management > Logs > Config > Syslog Server. Under the "Syslog Server", you can change the level of logging. 

If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. Note that setting a higher logging level on the wlc might result in more logs sent to the syslog server.

Regards,

Nagendra

Beginner

WLC-5508 logging to syslog

Thank you for the reply.  I'm very familiar with logging levels.  The fact is that the WLC provides very little security relevant information via syslog.  Most is sent via SNMP trap.  I'll be using SNMP traps for this.

Beginner

WLC-5508 logging to syslog

Mike,

Did you get what you wanted out of SNMP for the logging information?  I'm trying to work with my (reluctant) network admin to send WLC logs to my SIEM device, but all I'm seeing is unimportant, mostly non-security related logs.  I don't even get a log when users attach to wireless or any other useful kinds of info.  (logging level is set to 6).

Just looking for some suggestions.

Thanks

Beginner

WLC-5508 logging to syslog

Syslog doesn't give much.  All of the auth/deauth messages, etc. are sent via SNMP trap.  Here are some OID's that can be useful.

1.3.6.1.4.1.14179.2.6.3.70  Signature attack - Deauth Flood

1.3.6.1.4.1.14179.2.6.3.55  Potential denial of service attack

1.3.6.1.4.1.14179.2.6.3.42      Radios exceed license count

1.3.6.1.4.1.14179.2.6.3.44     Sensed temperature too high

1.3.6.1.4.1.14179.2.6.3.47     POE controller failure

1.3.6.1.4.1.14179.2.6.3.56     Too many unsuccessful login attempts

1.3.6.1.4.1.14179.2.6.3.59     Rogue AP detected on wired network

I think syslog will catch things like:

Web authentication failure for station

Login failed for the user:

Authentication failed for network user

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards