WLC logs not reciving in syslog

abinaya.2.r · ‎02-20-2019

HI,

I am in the process of doing audit of WLCs with the syslog. But for few WLCs, the syslog collector is not receiving correct log format. When i check the logs on WLC, I notice the log sin different format.

I have provided the logs captured from two WLCs(first is working and logs are received on syslog collector. Second is not received on syslog collector).

Device Name: oric-wlc-np-001
Feb 19 00:04:50 10.31.1.60 aunnpc01: *Dot1x_NW_MsgTask_2: Feb 19 11:04:50.607: %APF-6-USER_NAME_CREATED: [PA]apf_ms.c:7922 Username entry (host/75XGRF2.ori.orica.net) with length (253) created for mobile 34:f3:9a:e1:f0:32

Device Name: oric-wlc-ho-001
aunhoc02: *SISF BT Process: Feb 19 11:04:20.914: #SISF-6-ENTRY_DELETED: sisf_shim_utils.c:356 Entry deleted A=fe80::4a8:230a:dc96:1df7 V=0 I=wireless:0 P=0005 M=

balaji.bandi · ‎02-21-2019

Check the syslog config and source Interface it leaving ? post some more information and config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abinaya.2.r · ‎02-21-2019

Hi,

Below is the log from my WLC.

Cisco Controller) >show logg

*emWeb: Feb 22 06:02:14.875: #LOG-3-Q_IND: tplus_db.c:1809 Tacacs server is not available for authentication, accounting and/or authorization[...It occurred 2 times.!]

*tplusTransportThread: Feb 22 06:02:14.186: #AAA-3-SELECT_CALL_FAILURE: tplus_db.c:1809 Tacacs server is not available for authentication, accounting and/or authorization

*Dot1x_NW_MsgTask_7: Feb 22 00:37:14.893: #DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aborted for client 9c:30:5b:04:f0:e7

*dot1xMsgTask: Feb 21 20:23:42.334: #DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1404 Unable to send EAPOL-key msg - invalid WPA state (0) - client 9c:30:5b:04:f3:fd

*dot1xMsgTask: Feb 21 20:23:42.334: #DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1404 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:8d:08:5a:ff:61

However when I checked in Cisco website, the below format should be present on the WLC.

The Cisco Log Message Format

The Cisco Log message format is:

<PRI>SEQNUM: HOST: MONTH DAY YEAR HOUR:MINUTES:SECONDS.MILLISECONDS TIMEZONE:

%APPNAME-SEVERITY-MSGID:

%TAGS: MESSAGE

An example of a CiscoLog formatted syslog event follows. An entry displays on a single line.

<134>25: host-w3k: Feb 13 2007 18:23:21.408 +0000: %ICM_Router_CallRouter-6-10500FF:

[comp=Router-A][pname=rtr][iid=acme1][mid=10500FF][sev=info]: Side A rtr process is OK.

Could some one help how to change the syslog to the below format

patoberli · ‎02-22-2019

I'm pretty sure you aren't running the same software on the two WLC, could you verify this?
Also the WLC use a different syslog format from the Catalyst series, at least in the local log. There is a possibility that they modify the log when sending it to a syslog server.
Check that both WLCs are configured the same under Management -> Logs -> Config

kingbily96 · ‎02-22-2019

Currently I'm not capturing syslog to any external host, no IP address entered for a syslog server in Management => Logs => Config

Syslog level is set to ERRORS and Facility is "Local use 0"

WLC Config Analyzer 4.16 gives Best Practice message below:

20017,AP: Syslog messages are sent to broadcast address, if there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server.

How can I make sure the APs are not broadcasting the syslog messages ?

patoberli · ‎02-25-2019

I'm not entirely sure, but I think you can ignore this message.

Otherwise set it to 127.0.0.1, that way they should get trashed.