09-13-2013 10:02 AM - edited 07-04-2021 12:50 AM
We have added Splunk to a monitoring systems and I would like to send my wlc 5508 log messages to it. We have the Syslog Data Inputs on that server are all TCP and we would like to maintain tcp only if possible. I do need to be on a custom port other than 514. We are on 7.4.100.60 on a HA pair of 5508's. Does any on have any insight on changing the syslog port number in the WLC config?
09-13-2013 03:16 PM
I am also having this requirement. But I do not think we can customize syslog ports in 5508s.
In a normal IOS device we can do this like below.
"logging host x.x.x.x transport {tcp|udp} port
Therefore in NextGen controllers (3850 or 5760) we should be able to use above command as it is running on IOS. Tested with 3850 & worked, not with a 5760 yet.
HTH
Rasika
09-27-2013 04:23 AM
I too am using Splunk for capturing WLC Syslog. With regards to the destination port of the Syslog, I don't know how to change it. However, to get around this I have set up a Splunk Forwarder with Syslog-NG. Basically Syslog-NG listens on any port number/protocol you define and writes logs to a log file name $hostname$.log. This means I could have x different WLCs sending Syslog to Syslog-NG on UDP 514 and Syslog-NG will write the syslog from each host to it's individual file.
From their I've configured Splunk forwarder to monitor each file and forward the logs on to Splunk. You can forward to any port/protocol you wish.
Also remember to do this
config logging debug syslog enable
On the controller. Otherwise you won't see the messages you expect.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: