WLC 5508 Syslog send to custom port

We have added Splunk to a monitoring systems and I would like to send my wlc 5508 log messages to it.  We have the Syslog Data Inputs on that server are all TCP and we would like to maintain tcp only if possible. I do need to be on a custom port other than 514.  We are on 7.4.100.60 on a HA pair of 5508's.  Does any on have any insight on changing the syslog port number in the WLC config?

I too am using Splunk for capturing WLC Syslog.  With regards to the destination port of the Syslog, I don't know how to change it.  However, to get around this I have set up a Splunk Forwarder with Syslog-NG.  Basically Syslog-NG listens on any port number/protocol you define and writes logs to a log file name $hostname$.log.  This means I could have x different WLCs sending Syslog to Syslog-NG on UDP 514 and Syslog-NG will write the syslog from each host to it's individual file.
From their I've configured Splunk forwarder to monitor each file and forward the logs on to Splunk.  You can forward to any port/protocol you wish.
Also remember to do this
config logging debug syslog enable
On the controller.  Otherwise you won't see the messages you expect.

Similar Messages

  • Wlc 5508 get error when use port-channel

    We have two wlc in the system 5508 and 4402.
    we config HA for 2 wlc, both wlc enable LAG
    When I connect 2 interface  of 5508 to 2 interface (in a port channel mode on, trunk, dot1q) of a
    couple of VSS switch, I cant management 5508 through web any more, and I still can do with 4402.
    If I  shutdown 1 port int the port-channel, it work well.
    Do you know what happen ?
    Thanks
    Duyen

    hi Scott,
    We have VSS ( 2 x 6509) trunk with (2 switch 4506).  one port of wlc4402 connect to one port of one swith 4506.
    2 ports of wlc 5508 conect to 6509, each port connect to one switch 6509.
    the config in VSS switch like this:
    interface gig1/1/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 500 mode on
    interface gig2/1/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 500 mode on
    etherchannel load-balancer src-dst-ip
    ( I dont see this command in running config)

  • Cisco WLC 5508 not sending SNMP Traps

    Hello Everyone.
    I'm having a weird error on our WLC environment. We have an HA with two cisco WLC 5508 and i cannot get SNMP Traps working on a Windows PC running Kiwi Syslog server (free ed.).
    I can receive correctly Syslog messages, but not traps.
    I Tried also to send SNMP Traps from WLC to a different PC using Linux with snmptrapd and it works fine.
    I tried then to send from my Linux box a snmp trap to my Windows PC, and it works fine, but i still cannot receive anything from WLC.
    Using Wireshark to detect traffic, i cannot see any packet on udp port 162.
    I cannot figure out any problem with my scenario, but i can see the following errors on syslog:
    *rmgrTrasport: Mar 30 16:08:22.602: #RMGR-3-INVALID_PING_RESPONSE: rmgr_utils.c:270 Ping response from <my_windows_PC> is invalid. Ip address do not match.
    My WLC Version is 7.6.130.0
    Thank you for your support.

    I have gone through your query and found the following fruitful links ,please let me know if it helps and mark it correct answer if it is.
    https://www.manageengine.com/network-monitoring/help/userguide/processing_traps.html
    https://rscciew.wordpress.com/2014/10/12/snmp-configuration-on-wlc/
    Thanks :)

  • EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

    We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
    Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
    For example:
    Policy 1: allowed-certificate-OID --> corporate
    Policy 2: allowed-certificate-OID --> private
    Client authenticates with EKU corporate --> success
    Client authenticates with EKU private --> reject
    My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
    Has anyone a simmilar setup or can help to figure out what is going wrong?
    We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
    regards
    Fabian

    The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
    This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
    The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
    The certificate does include this OID but not the custom EKU.

  • ISE 1.2 - WLC 5508 - NAS sends RADIUS accounting update messages too frequently

    I'm getting this error in ISE referring to my Cisco 5508 WLC.  I'm not sure how to turn down the frequency.  Any ideas?
    NAS sends RADIUS accounting update messages too frequently
    Verify NAS configuration. Verify known NAS issues.

    I opened up a TAC case with Cisco yesterday and this is the response i got from them:
    There is bug on the WLC side to reduce the number acct updates:
    CSCug14713- WLC sends acct-update twice in the same millisecond
    This is fixed in 8.x on the WLC.
    So, it looks at though we just have to deal with it until they release an 8.x version for the WLC. In the meantime, you can disable the alerts in ISE.
    Administration>Settings>Alarm Settings>Misconfigured Network Device Detected
    Edit that alarm and set it to disabled

  • One WLC 5508, Multiple Sites/Networks

    So I'm trying to think this design out in my head.  Here is what I have:
    Corp Office with a WLC 5508 configured with a management port and a guest WLAN port for guest wireless etc to the corp Layer 3 switch in a wireless VLAN, using 802.1q trunk of course.  The WLC is configured to be a DHCP server for the Guest WLAN.
    (Side note:  the sites are connected using WAN routers at each location configured with bundled T3's and all routes are setup and each network successfully traverses to the other)
    First phase will be to install 30 APs.  5 at the corporate office and 25 and two other sites.  I'm using a class A network but have subnetted the networks so to speak to make each site have multiple VLANs using class C networks.  I want to be able to implement the WLC 5508 at the corporate office and manage the APs centrally at all locations.  The APs are already configured for lightweight mode and I have successfully configured 5 of them and connected. 
    My question is if I install the other 25 APs at the other 2 offsite locations and connect them to the network, will it automatically contact the WLC and get a DHCP address from the Corporate WLAN DHCP even though it is at another site?  Am I overlooking a step or configuration method for this type of implementation?
    Thanks for all contributions!

    Ok so I have configured my environment as suggested.  I can see the new IP Address lease to the AP at my remote site on
    the DHCP Server (Windows Server DHCP at the remote site).  I can ping that IP from the Central office to the remote site however the WIreless Controller is not associating the AP at all.  Although I can ping the AP from the WLC.  I checked the logs and I dont see any association attempt from that IP or MACt.  So here is what I have:
    Central Site-
         WLC 5508 With Internal DHCP for local APs
         APs associating successfully
    Remote Site
         Windows DHCP with Option 43 Configured per Cisco AP Option 43 Whitepaper
         AP 1142-Light-Weight attached to switchport (Wireless Vlan configured) and reachable via ping through all of network.
         AP obtained IP from Windows DHCP from Wireless Scope I configured successfully.
    So it doesn't seem the CAPWAP tunnel was built successfully.  I do have an ASA 5520 in the environment but all traffic to remote sites is wide open as I do not block any ports so CAPWAP traffic should flow well.
    Mission a step?
    Dee

  • WLC 5508 custom syslog port

    We're using a Kibana server that utilizes udp port 1514, instead of the normal port 514. There doesn't appear to be a place to specify a custom port number. Does anyone know of a place to change this? If not, is Cisco going to provide a software fix for this? I can do it on our ASA easily.

    Unfortunately you cannot change syslog port in any of the legacy controllers (5508/2504/etc). Here is a post on the same topic
    https://supportforums.cisco.com/thread/2239795
    If it is NGWC (like 3850,etc) you can do this as it runs on IOS-XE instead of Aironet software image.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC 5508 issue with 4 ports in portchannel

    Hi,
    We have one WLC 5508 and LAG is enabled on it but when we connect 4 cables to a distribution switch only 3 links are sending and receiving traffic and the 4th one is up with outgoing traffic from the distribution switch to WLC but nothing incoming.
    Some APs went down and refuse to be registered back to the WLC. when we shut down the 4th port everything is back to normal.
    the etherchannel config is identical and I can see all ports are active and not suspended :
    interface GigabitEthernet2/2/1
    description PortChannel-WLC1-Port1
     switchport
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 60-67,2808,2922,2923,2932
     switchport mode trunk
     channel-group 99 mode on
    interface GigabitEthernet2/2/2
    description PortChannel-WLC1-Port2
     switchport
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 60-67,2808,2922,2923,2932
     switchport mode trunk
     channel-group 99 mode on
    interface GigabitEthernet2/2/3
    description PortChannel-WLC1-Port3
     switchport
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 60-67,2808,2922,2923,2932
     switchport mode trunk
     channel-group 99 mode on
    interface GigabitEthernet2/2/4
    description PortChannel-WLC1-Port4
     switchport
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 60-67,2808,2922,2923,2932
     switchport mode trunk
     channel-group 99 mode on

    sh etherchannel 99 sum
    Flags:  D - down        P - bundled in port-channel
            I - stand-alone s - suspended
            H - Hot-standby (LACP only)
            R - Layer3      S - Layer2
            U - in use      N - not in use, no aggregation
            f - failed to allocate aggregator
            M - not in use, no aggregation due to minimum links not met
            m - not in use, port not aggregated due to minimum links not met
            u - unsuitable for bundling
            d - default port
            w - waiting to be aggregated
    Number of channel-groups in use: 38
    Number of aggregators:           38
    Group  Port-channel  Protocol    Ports
    ------+-------------+-----------+-----------------------------------------------
    99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                     Gi2/2/4(P)     
    Last applied Hash Distribution Algorithm: Fixed
    Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

  • Port channel WLC 5508 and 3750

    Hi All,
    I want to configure Port channel for WLC 5508 and cisco 3750 Stack Switch. What changes I need to make on WLC and where?
    Thanks
    Jagdev

    Thanks Chris,
    LAG is enable on WLC, and Port channel is configured on 3750, Please see the configration and Port channel status below:-
    (Cisco Controller) >show lag summary
    LAG Enabled
    interface Port-channel14
    description Port Channel to WLC001
    switchport trunk encapsulation dot1q
    switchport mode trunk
    end
    sh etherchannel 14 summary
    Flags:  D - down        P - bundled in port-channel
            I - stand-alone s - suspended
            H - Hot-standby (LACP only)
            R - Layer3      S - Layer2
            U - in use      f - failed to allocate aggregator
            M - not in use, minimum links not met
            u - unsuitable for bundling
            w - waiting to be aggregated
            d - default port
    Number of channel-groups in use: 14
    Number of aggregators:           14
    Group  Port-channel  Protocol    Ports
    ------+-------------+-----------+-----------------------------------------------
    14     Po14(SD)        LACP      Gi1/0/22(I) Gi2/0/22(I)
    sh run int g1/0/22
    Building configuration...
    Current configuration : 209 bytes
    interface GigabitEthernet1/0/22
    description Trunk to WLC001 DistPort1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 254
    switchport mode trunk
    channel-group 14 mode active
    end
    sh run int g2/0/22
    Building configuration...
    Current configuration : 209 bytes
    interface GigabitEthernet2/0/22
    description Trunk to WLC001 DistPort2
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 254
    switchport mode trunk
    channel-group 14 mode active
    end

  • WLC-5508 logging to syslog

    It appears that there are two different types of log information generated by the WLC-5508.  The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap.  Does anyone have this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?

    Mike,
    Have you tried to change the logging level on the wlc? There are multiple levels of logging that can be set on the wlc. On the wlc GUI, you can check the current logging level by navigating to this page - Management > Logs > Config > Syslog Server. Under the "Syslog Server", you can change the level of logging. 
    If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. Note that setting a higher logging level on the wlc might result in more logs sent to the syslog server.
    Regards,
    Nagendra

  • WLC 5508 : session disconnected when one lag-port is down.

    Hello,
    I have a WLC 5508 ( version 6.0.182).
    When the port1 and port2 are connected ( The switch is configured with a etherchannel in forced mode) everything works fine: There is traffic on the 2 ports.
    When I disconnect one of the 2 ports, I can still ping outside with my PC client, but all my tcp sesssions goes down and I even cannot restart my session. The only way I found  is to do a "Disconnect / Reconnect"  on my  PC  wireless connection.
    Do you know this probleme ?
    Is it a way to avoid it ?
    Michel Misonne

    CSCth12513 LAG fail-over does not work on CT5508
    This bug is fixed in the special release available through TAC : 6.0.199.157 and 7.0.xxxx
    Hope this helps.
    Nicolas
    ===
    Dont' forget to rate answers that you find useful

  • Change WLC 5508 port speed

    I connect a copper SFP on port 2 of WLC 5508 to a ASA 5510 firewall.  The links between two devices are down.  Since ASA 5510 only support 100 full, how do I change port speed on port 2 to 100.
    Thanks

    Does this mean, I couldn't change port speed on the WLC?
    Yes you can.  You can change the speed setting to GIGABIT, nothing less. 
    Why do I need to buy another Gigbit switch for 2 connection?
    What do you mean by "another"????   Do you have an existing GigabitEthernet switch that you can connect the WLC into?
    You need a GigabitEthernet port to connect the WLC's GigabitEthernet port.  And then you can have a FastEthernet port to connect the SAME SWITCH to your ASA.
    WLC --- (1000BaseTx) --- Switch --- (10/100BaseTx) --- ASA
    Does this make sense to you?

  • WLC 5508 Distribution Ports

    Dear Community,
    i have a small Q that should we configure any of distribution port of WLC 5508 with speed 10/100 to connect it with cisco's 3750 on fastethernet port.
    By default WLC ports are gig ports so is there any comand or option to configure the port by decreasing its speedin wlc.
                                                                           OR
    could we connect them in the same status like wlc gig port wit switch 3750 fastethernet port and there will not any speed mismatch and it will work fine.Honestly on my behalf it will not work like this.
    please advise what is the best practice to do that.

    i have a small Q that should we configure any of distribution port of WLC 5508 with speed 10/100 to connect it with cisco's 3750 on fastethernet port.Won't work because the 5508 will negotiate to 1Gb only.

  • Possible to setup something likes "protected port" on WLC 5508

    Hello,
    Let's say I have 3 APs, all connected to a WLC 5508
    Each AP has a computer that is connected to it, Computer A, B and C, all on the same Vlan with same SSID
    Is it possible to configure so
    A and B can not talk to each other but both can talk to C  ?
    Something like "protected port" feature in the switch world.
    Thanks

    Im looking for a solution for a WiFi network for our guests, where they dont need to talk to each other, and all need to talk to a wire internet gateway/router only.
    If you want to block guest SSID users from talking to each other then it's possible.  As Scott has pointed out, it's called "P2P Blocking Action".
    I do NOT recommend having guest and corporate share the same SSID.  I don't think it's best practice.

  • WLC 5508 - What is the use of service port.

    Hi,
    I am getting hard to understand use of service port in wlc 5508,
    Even after reading so much post and cisco note I am not understanig the use of (Even basic use) service port.
    As I understand service port should be access port and should be in diffrent vlan.
    Pleae help me to understand it in simple way....

    Hi Tarun,
    Like others mentioned it is used for Out of Band Management of a WLC. Many do not use this as it could leads to issues unless you properly configure it & put it onto two completely different supernets. Config guides highlighted those restrictions & below is one of them listed in 7.4 config guide
    Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the management interface of the controller.
    In situations you can use it to get access by directly connecting a laptop to take configuration backup or restore configuration to a controller. In the below post I have used service port to take backup & restore the configuration to a WLC.
    http://mrncciew.com/2013/01/25/backup-restore-wlc-configs/
    HTH
    Rasika
    **** Pls rate all useful responses ****

Maybe you are looking for