Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16368
Views
5
Helpful
4
Replies

WLC-5508 logging to syslog

MikeM-2468
Level 1
Level 1

‎12-05-2011 06:15 AM - edited ‎07-03-2021 09:10 PM

It appears that there are two different types of log information generated by the WLC-5508.  The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap.  Does anyone have this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

naks
Level 1
Level 1

‎12-12-2011 10:46 PM

Mike,

Have you tried to change the logging level on the wlc? There are multiple levels of logging that can be set on the wlc. On the wlc GUI, you can check the current logging level by navigating to this page - Management > Logs > Config > Syslog Server. Under the "Syslog Server", you can change the level of logging. 

If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. Note that setting a higher logging level on the wlc might result in more logs sent to the syslog server.

Regards,

Nagendra

0 Helpful

MikeM-2468
Level 1
Level 1
In response to naks

‎12-13-2011 04:12 AM

Thank you for the reply.  I'm very familiar with logging levels.  The fact is that the WLC provides very little security relevant information via syslog.  Most is sent via SNMP trap.  I'll be using SNMP traps for this.

0 Helpful

jaymartin
Level 1
Level 1
In response to MikeM-2468

‎03-01-2012 11:48 AM

Mike,

Did you get what you wanted out of SNMP for the logging information?  I'm trying to work with my (reluctant) network admin to send WLC logs to my SIEM device, but all I'm seeing is unimportant, mostly non-security related logs.  I don't even get a log when users attach to wireless or any other useful kinds of info.  (logging level is set to 6).

Just looking for some suggestions.

Thanks

0 Helpful

MikeM-2468
Level 1
Level 1
In response to jaymartin

‎03-01-2012 12:06 PM

Syslog doesn't give much.  All of the auth/deauth messages, etc. are sent via SNMP trap.  Here are some OID's that can be useful.

1.3.6.1.4.1.14179.2.6.3.70  Signature attack - Deauth Flood

1.3.6.1.4.1.14179.2.6.3.55  Potential denial of service attack

1.3.6.1.4.1.14179.2.6.3.42      Radios exceed license count

1.3.6.1.4.1.14179.2.6.3.44     Sensed temperature too high

1.3.6.1.4.1.14179.2.6.3.47     POE controller failure

1.3.6.1.4.1.14179.2.6.3.56     Too many unsuccessful login attempts

1.3.6.1.4.1.14179.2.6.3.59     Rogue AP detected on wired network

I think syslog will catch things like:

Web authentication failure for station

Login failed for the user:

Authentication failed for network user

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card