WLC Syslogging

Similar Messages

• Any way to shut off WLC syslog %APF-4-ROGUE_AP_ADD_FAILED?

  Hello,
  Does anyone know of a way to shut off syslog traffic for "%APF-4-ROGUE_AP_ADD_FAILED" other than by changing the WLC syslog level?
  We need to keep that level (warning level 4) in order to view important warnings.  The message noted above is 70% of WLC syslog traffic...way too much.
  Mike Ciulla

  Hi,
  Yeah, we tried that too with WCS. We can classify malicious (unknown AP using our SSIDs) and friendly (known APs another department that we are merging with), but not unclassified, which is where most of them sit.  The controllers max out with rogues and dump all the "add failed" spam logs. Looks like we will just filter syslog servers after it traverses the network, as you mentioned.  I guess 20k/hr is not that heavy anyway, but it does tie up a some WLC processing power.  Was thinking the spam could be dumped right at the controller.

• WLC Syslog error message

  Hi all,
  I get a lot of the following syslog error messages from 3 of my 4 WLCs (two WiSMs).
  Error message:
  ethoip.c:342 ETHOIP-3-PKT_RECV_ERROR
  I searched at cisco.com and I found the information to use the bug toolkit or open a tac case, but I didn't find a bug or any further information related to that problem.
  I can not even recognize any differences in the WLC configs - for centralize configuration I use an WCS.
  WiSM Software version: 5.0.148.0
  WCS Software vesion: 5.0.56.0
  Does anyone of you had the same problem?
  Thank you for all information!
  Best regards
  Peter

  Hi dennischolmes,
  after your post I checked the mobility group configuration on all four controllers, and indeed, there was a inconsitency in the configuration. The WCS couldn't see the mismatch, because the settings between the WCS and the controllers were the same. As I looked on the controllers web pages i saw, that different mobility group memebers with various mobility group names were configured on every single controller, maybe caused by applying a new controller template, where i changed the mobility group name.
  I started from scratch configuring the mobility groups and the syslog error messages were stopping.
  Thank you very much!

• WLC syslog messages

  Does anyone know where to find a overview for the controller's syslog messages ?
  Regards
  johann Folkestad

  I think the WLC configuration guide has a chapter for error messages. This might have your necesary information.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a008076ce82.html

• WLC 5508 Syslog send to custom port

  We have added Splunk to a monitoring systems and I would like to send my wlc 5508 log messages to it.  We have the Syslog Data Inputs on that server are all TCP and we would like to maintain tcp only if possible. I do need to be on a custom port other than 514.  We are on 7.4.100.60 on a HA pair of 5508's.  Does any on have any insight on changing the syslog port number in the WLC config?

  I too am using Splunk for capturing WLC Syslog.  With regards to the destination port of the Syslog, I don't know how to change it.  However, to get around this I have set up a Splunk Forwarder with Syslog-NG.  Basically Syslog-NG listens on any port number/protocol you define and writes logs to a log file name $hostname$.log.  This means I could have x different WLCs sending Syslog to Syslog-NG on UDP 514 and Syslog-NG will write the syslog from each host to it's individual file.
  From their I've configured Splunk forwarder to monitor each file and forward the logs on to Splunk.  You can forward to any port/protocol you wish.
  Also remember to do this
  config logging debug syslog enable
  On the controller.  Otherwise you won't see the messages you expect.

• Wireless AirOS Global AP Syslog Level configuration command 7.4.121.0

  Hello
  I have a controller 5508 running on version 7.4.121.0. With the command "show ap config global" I can check the global AP syslog config:
  AP global system logging host.................... 0.0.0.0
  AP global system logging level................... informational
  Default the syslog host ip is 0.0.0.0. With the command ">config ap syslog host global x.x.x.x" I can configure the IP of the syslog server.
  Question:
  How can I configure the global syslog level?
  I searched in the command reference but there is no specific command to set the global AP syslog level.
  Thanks,
  Rolf

  Hi Rolf,
  Here is the command you required
  config ap logging syslog level <syslog_level> all   
  This post also should give you an idea how to configure syslog in different WLC platforms & how to analyze them using splunk
  http://mrncciew.com/2014/09/19/wlc-syslog-analysis/
  Pls mark the thread as "answered" if this is you looking for. 
  HTH
  Rasika

• WLC log needs to show AP name instead of MAC

  I am looking for a way to show the AP name in my WLC logs (5508). I am now seeing MAC addresses in the logs and it would be easier to immediately see the AP names. I found a command in the AP that should be able to fix this: "logging origin-id hostname". However, since the APs are CAPWAP and connecting to the controller, once the APs are reloaded they lose this config. So I am looking at a solution for configuring this in the WLC...

  I do not think you can configure this through WLC as it is not IOS based product. Here are the settings related to AP syslog, that you can change via WLC (syslog host, facility & level)
  (WLC) >config ap logging ?
  syslog         Set Ap logging syslog level.
  (WLC) >config ap logging syslog ?
  level          Syslog level.
  facility       Facility level.
  (WLC) >config ap syslog ?
  host           Configures the system logging host for Cisco AP
  (WLC) >config ap syslog host ?
  global         Configures the global system logging host for all Cisco AP
  specific       Configures the system logging host for a specific Cisco AP.
  HTH
  Rasika
  ****Pls rate all useful responses ****

• Get DHCP logs from WLC?

  We've got a WLC 4402 running 5.2.157.0, and WCS 5.0.72.0.
  We've got a guest wlan that uses web authentication to grant IP addresses for guest users.
  We have the WLC syslogging to another server, at syslog level critical.
  What we would like to do is get the MAC address of machines that are given DHCP addresses, so that we can tell who is using our wireless, or attempting to.
  If syslog isn't how to get this information, is there another show command to see what machines got given DHCP addresses?
  Thanks,
  R

  You could see this with "show dhcp leases" from the controller's CLI or you should also be able to get this info through SNMP.

• IMP: Cisco AIR-CAP1602 &1532 not joining 2504 Controller issue

  Dear Team, We have Cisco wireless implementation in clients premises. We have 8 indoor AP (AIR-CAP1602E-AK9) and 2 Outdoor AP (AIR-CAP1532I-AK9) . Seven indoor APs are able to join the 2504 controller, but 1 indoor AIR-CAP1602E AP is not joining and signal is RED continuously while as outdoor AP AIR-CAP1532I-AK9 signal goes blinking from green, red to amber continuously and is not downloading LWAPP image from the controller even after hard reset.
  The output for both APs shown below-
  1) AIR-CAP1602E-A-K9:
  C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Compiled Fri 30-Nov-12 15:48 by aselvara
  ap: reset
  Are you sure you want to reset the system (y/n)?y
  System resetting...
  Boot from flash
  IOS Bootloader - Starting system.
   FLASH CHIP: Spansion S25FL256
  Xmodem file system is available.
  flashfs[0]: 14 files, 3 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 31936000
  flashfs[0]: Bytes used: 418304
  flashfs[0]: Bytes available: 31517696
  flashfs[0]: flashfs fsck took 9 seconds.
  Reading cookie from SEEPROM
  Base Ethernet MAC address: 18:e7:28:d1:9b:05
   ************* loopback_mode = 0
  The system is unable to boot automatically because there
  are no bootable files.
  C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Compiled Fri 30-Nov-12 15:48 by aselvarag
  Same event repeating, failed to reset and reboot device
  2) AIR_CAP1532I-A-K9 (Outdoor AP):
   *Mar  1 00:01:22.211: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
  *Mar  1 00:01:22.211: %CAPWAP-3-ERRORLOG: Discovery response from MWAR 'Cisco_47:32:e4'running version 7.5.102.0 is rejected.
  *Mar  1 00:01:22.211: %CAPWAP-3-ERRORLOG: Failed to decode discovery response.
  *Mar  1 00:01:22.211: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 2 state 2.
  *Mar  1 00:01:22.211: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
  *Mar  1 00:01:22.211: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 100.1.1.20
  signal goes blinking from Grean, Red to Amber continuously.
  Failed to download LWAPP image from the controller even after hard reset.
  Default image: 7.6.95.12
  Logs and screen shot attached
  Please advice. 
  Thanks
  Aakash

  Hi please note the details below-
  AIR-CAP1602E-A-K9:
  C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Compiled Fri 30-Nov-12 15:48 by aselvara
  ap: reset
  Are you sure you want to reset the system (y/n)?y
  System resetting...
  Boot from flash
  IOS Bootloader - Starting system.
   FLASH CHIP: Spansion S25FL256
  Xmodem file system is available.
  flashfs[0]: 14 files, 3 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 31936000
  flashfs[0]: Bytes used: 418304
  flashfs[0]: Bytes available: 31517696
  flashfs[0]: flashfs fsck took 9 seconds.
  Reading cookie from SEEPROM
  Base Ethernet MAC address: 18:e7:28:d1:9b:05
   ************* loopback_mode = 0
  The system is unable to boot automatically because there
  is no bootable files.
  C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Compiled Fri 30-Nov-12 15:48 by aselvarag
  Can't reboot device!
  WLC-SYSLOG
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.5.102.0
  Bootloader Version............................... 1.0.18
  Field Recovery Image Version..................... 1.0.0
  Firmware Version................................. PIC 16.0
  Build Type....................................... DATA + WPS
  System Name...................................... Cisco_47:32:e4
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
  IP Address....................................... 100.1.1.20
  Last Reset....................................... Power on reset
  System Up Time................................... 0 days 2 hrs 18 mins 39 secs
  System Timezone Location......................... (GMT -6:00) Central Time (US a                                                                                        nd Canada)
  System Stats Realtime Interval................... 5
  System Stats Normal Interval..................... 180
  --More-- or (q)uit
  Configured Country............................... US  - United States
  Operating Environment............................ Commercial (0 to 40 C)
  Internal Temp Alarm Limits....................... 0 to 65 C
  Internal Temperature............................. +32 C
  External Temperature............................. +37 C
  Fan Status....................................... 4000 rpm
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Enabled
  Number of WLANs.................................. 3
  Number of Active Clients......................... 0
  Burned-in MAC Address............................ 24:E9:B3:47:32:E0
  Maximum number of APs supported.................. 15

• Monitor capwap access points

  Hello ,
  After migrating from standalone access points to capwap access points ( with wireless lan controller / Cisco Prime ) , a lot of people are wondering how to monitor their AP's by receiving traps from the controllers .
  I am searching for trap list that should be accepted by a monitoring product ( ie nagios  ) in order to monitor the status of the access points .
  Where can i find this info ?
  Thank you in advance for your help ;
  Rgds.
  Hubert.

  Since all AP managed by WLC, all information available from WLC, no need to directly get this information from AP directly.
  If you want you can configure AP & WLC syslog to export to a syslog server & then analyse them. Below post may give some idea
  http://mrncciew.com/2014/09/19/wlc-syslog-analysis/
  http://mrncciew.com/2013/02/06/syslog-msg-log-in-wlc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Client drops - Tuning EAP timers?

  I have had some clients complaining (laptop users) about being dropped from the WiFi and this appears to correlate with the events in the WLC log for DOT1X-4-MAX_EAPOL_KEY_RETRANS for those clients.
  Drops are more frequent when the network and neighbours networks are under load during the day.
  What would your advice be on tuning this? I based my settings off a guide found here:
  https://supportforums.cisco.com/document/46101/eap-timers-wireless-lan-controllers
  The way I interpret this is that the settings present a bit of a tradeoff between the risk of being dropped and the time it takes to get back in if you are dropped.
  We have a WLC 2500 with 2700 APs running 7.6.130.0.
  Below are the current settings that we have set:
  Edit: Table did not paste correctly
  Local Auth Active Timeout1 (in secs) "300"
  Identity Request Timeout (in secs) "5"
  Identity request Max Retries "12"
  Dynamic WEP Key Index "0"
  Request Timeout (in secs) "30"
  Request Max Retries "2"
  Max-Login Ignore Identity Response "enable"
  APOL-Key Timeout (in milliSeconds) "1000"
  EAPOL-Key Max Retries "2"
  EAP-Broadcast Key Interval(in secs) "3600"
  Local Auth Active Timeout1 (in secs)
  Identity Request Timeout (in secs)
  Identity request Max Retries
  Dynamic WEP Key Index
  Request Timeout (in secs)
  Request Max Retries
  Max-Login Ignore Identity Response
               disable             enable          
  EAPOL-Key Timeout (in milliSeconds)
  EAPOL-Key Max Retries
  EAP-Broadcast Key Interval(in secs)

  I should have mentioned that this is on WPA2 also.
  What I'm told is that the drops may occur 2-3 times per day by some users. Other's don't have this issue or aren't bothered enough by it to notice. There is no definite correlation between equipment or area although proximity to APs does influence this (drops are more likely with increased distance) but we still have users without such drops at the same location as users experiencing them. Drops only seem to occur during busy office hours and not outside of them despite this being a 24/7 access office with a considerable amount of people staying late.
  I could probably attempt a cli client debug capture and see if something else shows up although the problem is not very frequent so it will be a long day.
  Another question would be what is withing the tolerances of how WiFi should perform in this situation. Is it reasonable for this to happen in a WiFi congested spot.
  Entries for an affected client in wlc-syslog set to debug (not the cli debug tool) may look like this during a day for the mac aa:bb:cc:aa:bb:cc:
  Cisco_ac: 3c:44: *dot1xMsgTask: Mar 13 11:57:34.645: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M1 retransmissions exceeded for client aa:bb:cc:aa:bb:cc
  Cisco_ac: 3c:44: *dot1xMsgTask: Mar 13 11:57:41.045: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M1 retransmissions exceeded for client aa:bb:cc:aa:bb:cc
  Cisco_ac: 3c:44: *dot1xMsgTask: Mar 13 11:57:47.045: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M1 retransmissions exceeded for client aa:bb:cc:aa:bb:cc
  Cisco_ac: 3c:44: *dot1xMsgTask: Mar 13 11:58:25.265: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M1 retransmissions exceeded for client aa:bb:cc:aa:bb:cc
  Cisco_ac: 3c:44: *dot1xMsgTask: Mar 13 11:58:32.065: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M1 retransmissions exceeded for client aa:bb:cc:aa:bb:cc
  Cisco_ac: 3c:44: *dot1xMsgTask: Mar 13 11:58:38.065: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M1 retransmissions exceeded for client aa:bb:cc:aa:bb:cc

• Unterstanding syslog messages from our wlc

  Hello,
  we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
  On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
  1. ca. 10 times per hour we get the message
  apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
  Cisco system message guide:
  Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
  Explanation Not saving - no config changes.
  Recommended Action No action is required.
  Does anybody know why we get this messages and if it's possibly to suppress them?
  2. Intermittently (several times a day) we get the following message types:
  a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
  b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
  The MAC address is not every time the same but one of our accesspoints.
  On our network management system we get the following trap messages with nearly exactly the same timestamp:
  14.01.2008 04:21:56 CET
  AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
  When Airespace AP's interface operation status goes down this trap will be sent.
  bsnAPDot3MacAddress = 00.0b.85.56.63.40
  bsnAPIfSlotId = 0x1
  14.01.2008 04:21:56 CET
  AP disassociated from Switch.
  When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
  bsnAPMacAddrTrapVariable =
  14.01.2008 04:22:25 CET
  AP associated with Switch.
  When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
  bsnAPMacAddrTrapVariable =
  bsnAPPortNumberTrapVariable = 1
  Cisco system message guide:
  a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
  Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
  Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  Because we don't see any network problems I'm wondering why the connection is lost.
  Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
  Is there any possibility to remotely check if the accesspoint rebooted?
  If you need further information please give me a short feedback.
  Many thanks in advance,
  Thorsten Steffen

  Thanks for the help.
  I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem?  Do RME sends the standard syslog messages via UDP port 514?
  Sincerely.

• WLC-5508 logging to syslog

  It appears that there are two different types of log information generated by the WLC-5508.  The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap.  Does anyone have this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?

  Mike,
  Have you tried to change the logging level on the wlc? There are multiple levels of logging that can be set on the wlc. On the wlc GUI, you can check the current logging level by navigating to this page - Management > Logs > Config > Syslog Server. Under the "Syslog Server", you can change the level of logging.　
  If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. Note that setting a higher logging level on the wlc might result in more logs sent to the syslog server.
  Regards,
  Nagendra

• WLC and syslog broadcast from AP

  Hello,
  my wlc analyzer keep on informing me about syslog messages sent in broadcast from my APs.
  how can I solve this problem?
  thanks
  Johnny

  by default, the LAPs send log infos to the broadcast address, 255.255.255.255. you should set this to your syslog-server, so that can be unicasted.
  config ap syslog host global 1.2.3.4
  otherwise your LAP-network will be flooded with broadcasts if something odd happens.
  see also "Wireless LAN Controller (WLC) Configuration Best Practices" for details on this hint and other things that you possibly "should set".

• Syslogging on WLC for custom webauth bundle

  Hi,
  I recently created a WLAN for guest users. They would have to "register" themselves by entering an emailadress. After this they get access to guest WLAN for a number of hours. My question: In the logs of our syslog server I don't see any of these registrations. How can I enable this or what is needed to do this?
  kind regards,
  tverscheure

  Hello Tim,
  As per your query i can suggest you the following solution-
  In order to configure the WLC for syslog servers with the GUI, complete these steps from the Wireless LAN Controller GUI.
  1.Choose MANAGEMENT > Logs > Config to navigate to this page.
  2.Enter the syslog server IP address and click Add.
  3.Under Syslog Level, set the severity level to filter syslog messages to the syslog servers.
  4.Under Syslog Facility, set the facility for outbound syslog messages to the syslog servers.
  5.Click Apply.
  For more information refer to the link-
  http://www.cisco.com/en/US/products/ps6307/products_configuration_example09186a00809a2d76.shtml
  Hope this will help you.