Hi Dirk,

Your idea is certainly a good one, and may be my only choice, but I'm trying to avoid the network traffic.  We have a sprawling campus system the size of a small city and there are lots of other wireless about, so I get about 20k/hr of just this specific log, and mutiply that by 3 for each of the syslog servers.  ugh.

Also, its too much effort to mark all APs as known friendlies per controller, either, which would be another way to reduce this spam alerting.

Hi,

if you're using WCS, which I hope you do, you can specify "Rogue Policies" which should classify the rogues automatically and doing so, reduce your "spam".

You can find it under "Controller Template Launch Pad -> Security -> Rogue AP Rules"

Unfortunatley, this will not work every time. Have some issues here in my setup as well.

Dirk

Hi,

Yeah, we tried that too with WCS. We can classify malicious (unknown AP using our SSIDs) and friendly (known APs another department that we are merging with), but not unclassified, which is where most of them sit.  The controllers max out with rogues and dump all the "add failed" spam logs. Looks like we will just filter syslog servers after it traverses the network, as you mentioned.  I guess 20k/hr is not that heavy anyway, but it does tie up a some WLC processing power.  Was thinking the spam could be dumped right at the controller.