Skip to main content

Thu, Jul 9, 2020 8:33 AM

0

can we do something about the Zonedirector 12xx "remote syslog"

Has anyone actually tried  intergrating  ruckus with something like  "WAZUH"
There are two ways to normally intergrate products:
1. An agent... not possible
2. Via the syslog.


Sadly the syslog output from  the ZD & wifi points is a complete mess

here is an example of what the remote "wazuh" server recieves...

Jul  9 16:22:23 ZD-APMgr: IPC_thread rcv ping from TACMON
Jul  9 16:22:35 stamgr: tac_del_arp:dev=br0 SIOCDARP failed, errno=6
Jul  9 16:22:35 syslog: eventd_to_syslog():AP[[email protected]:b0:52:15:d8:f0] radio [11a/n/ac] detects User[[email protected]:a3:15:ff:5c:83] in WLAN[some Office User] roams out to AP[[email protected]:b0:52:15:7b:90]
Jul  9 16:22:35 syslog: eventd_to_syslog():AP[[email protected]:b0:52:15:7b:90] radio [11g/n] detects User[[email protected]:a3:15:ff:5c:83] in WLAN[some  Office User] roams from AP[[email protected]:b0:52:15:d8:f0]

Jul  9 07:37:48 [email protected]: lwapp_update_role_based_access_pcy_me: attached role based policy_id :0, policy6_id :0 to station me_type=201 84:a1:34:4c:f3:e7


Basically this is complete garbage to parse, if you have multiple systems sending logs...
how to even begin to parse: 16:22:35 stamgr or 16:22:35 syslog:   over multiple systems all sending UDP packets...




why can it not be better organised:

EG:

ZD-APMgr: line no {date & time something industry standard},"some standard message format"
then do the same for the AP's

so separated lines can be linked together, when you have multiple feeds & multiple ZD's into the same log server, and the "line no" tells you if the UDP has lost something...

That way the  absolute start of the line can be "regex" to a trigger to save processing masses of log data

yep... it's the ZD.. we want it....  good luck with "16:22:35 stamgr or 16:22:35 syslog"






Responses

No Responses!