Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1888
Views
0
Helpful
4
Replies

Integerating MSE/WLC into SIEM?

Go to solution
asad ali
Level 1
Level 1

‎05-05-2013 01:28 AM - edited ‎07-04-2021 12:01 AM

I'm from the sec team, and the company in which i work in is using Wireless Control System Plus with MSE (mobility security engine).

Now using syslog I'm interested in detecting rogue access points, What source should i enable syslog either controller or mse? I want to brng that logs to SIEM for higher correlation. I'm still confused.

We are using cisco aironet 3500 series .

Lan controller 5500

MSE 3300 series

WCS v 5.0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎05-05-2013 06:37 AM

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog servers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎05-05-2013 06:26 AM

Well first off, the MSE is a Mobility Services Engine not a security engine. You also have to make sure you have the correct code versions on your WLC, WCS and MSE. The WCS version is very old and the rule of thumb is to have the WCS and MSE an equal or higher version than the WLC. The WLC only supports the WLC on v7.0.x. You might have to upgrade your WCS to Prime infrastructure. Please refer to the compatibility matrix below.

http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html

Rogue detection can come from the WLC, but it might be unusable if you have many rogue AP's being detected especially if your in a downtown building for example.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
asad ali
Level 1
Level 1
In response to Scott Fella

‎05-05-2013 06:33 AM

Thank you for your respons.

I was seeing the syslog options In the facility drop down menu , there was list of options (kernel,mail,cron) by defualt its set to local use 0. Does this level mean that it caters for all the levels that are less or equal then its.

E.g

Kernel = Facility level 0

User Process = Facility level 1

Mail = Facility level 2

System Daemons = Facility level 3

Authorization = Facility level 4

Syslog = Facility level 5 (default value)

Line Printer = Facility level 6

USENET = Facility level 7

Unix-to-Unix Copy = Facility level 8

Cron = Facility level 9

FTP Daemon = Facility level 11

System Use 1 = Facility level 12

System Use 2 = Facility level 13

System Use 3 = Facility level 14

System Use 4 = Facility level 15

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎05-05-2013 06:37 AM

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog servers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
asad ali
Level 1
Level 1
In response to Scott Fella

‎05-05-2013 06:44 AM

That i understand, but what i don't understand is the faciliy levels? how are they define and set.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card