Re: [WIRELESS-LAN] Multiple controllers and syslog

Fri, 28 Dec 2007 09:29:10 -0800 

Jeffrey,
I think your problem is most likely in the way your syslog server is configured to log messages (or is inherently in the daemon itself). It does not look like your server is adding timestamp or hostname information to the message it logs. 

Here is your example:


Dec 28 09:50:18 .682 dtl_net.c:1299 DTL-1-ARP_POISON_DETECTED: STA
[00:11:24:9c:4c:8a, 0.0.0.0] ARP (op 1) received with invalid SPA
169.254.99.205/TPA 169.254.99.205

Syslog interprets .682 as the hostname but I am not sure as to what
exactly the string represents.(I am guessing it may be part of the oid
string that represents the access point.)



I think the  ".682" is part of the timestamp from the controller  
rather than being listed as the hostname. If you look at the logs  
locally on your controller, you will probably see the message is  
identical to your remote syslog messages, including the timestamp.



An example from my syslog file is similar, but the syslog daemon  
prepends a timestamp and hostname to the log message:
Dec 28 09:57:01 ctrl-lc-3-m.ap.uiowa.edu  Dec 28 09:57:01.189  
dtl_net.c:1210 DTL-1-ARP_POISON_DETECTED: STA [00:11:24:92:b4:50,  
0.0.0.0] ARP (op 1) received with invalid SPA 169.254.159.186/TPA  
169.254.159.186




How have people dealt with multiple controllers and syslog.



By prepending the host information to the log, you can easily identify  
the particular host you are looking for in a log file. All of our  
wireless gear (controllers, fat AP's, managed PoE midspans,  etc.) are  
sending their log messages to the same server and facility. We can  
then grep (or use other utilities) to look at specific host information.



I have not had to make any config modifications to get the syslog  
timestamp and hostname prepended to the log file in the past (built-in  
syslogd running in various flavors of Linux, FreeBSD, and Mac OS X),  
when configuring test systems. It looks like most of my test logs list  
the IP address of the host instead of its DNS name, so there may be  
some configuration or switch required to make the syslog daemon lookup  
the DNS name rather than log the IP address (not sure).



I am no syslog expert, but I hope some of this info was useful. Good  
luck.


-Jason

-------------------------------------------------------
Jason Mueller
Network Engineering Group, ITS
University of Iowa
(319) 335-5481 voice
(319) 335-2951 fax
[EMAIL PROTECTED]
------------------------------------------------------- 

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.






















					Reply via email to