vSZ syslogs missing client IP address

  • 2
  • Question
  • Updated 1 month ago
  • Answered
We are running into an issue on our vSZ (v5.1.0.0.496) with the clientAuthorization and clientJoin syslogs. Neither of these syslogs contain the clientIP field, which is a problem for customers with security appliances that depend on these syslogs to tie usernames to wireless clients. Strangely, the clientDisconnect syslog does include the clientIP field. 

Is there a way to enable this feature? ZoneDirector syslogs include a field for "sta_ip", which is what we've been using in the past (see THIS thread for context on ZD syslogs in this scenario). The vSZ syslogs are in a completely different format, which is fine, but they are missing this critical information. Here is my vSZ configuration for reference:


Photo of Nick Zourdos

Nick Zourdos

  • 28 Posts
  • 5 Reply Likes
  • confused

Posted 7 months ago

  • 2
Photo of pmonardo

pmonardo, Employee

  • 35 Posts
  • 20 Reply Likes
Hi Nick,

The alarms and events guide posted on the support site for SmartZone mentions the following for ClientAuth and ClientJoin -> "clientIP" .So it should be there. 

Severity must be informational but I believer yours is set to emergency. 
Photo of Nick Zourdos

Nick Zourdos

  • 28 Posts
  • 5 Reply Likes
We are receiving the clientJoin syslogs with the current configuration, aren't those sent as part of the "Event Facility" and "Event Filter" settings? I intentionally set the "Application", "Administrator", and "Other" settings to the highest level in order to avoid overrunning our syslog server. Does one of these need to be set to Info in order for the clientIP field to appear? 
Photo of Nick Zourdos

Nick Zourdos

  • 28 Posts
  • 5 Reply Likes
Word of warning to anyone else who is looking for this feature: It is not supported in SmartZone (as of v5.1.0) if you are using 802.1x authentication. Client IP addresses are only included in the clientJoin and clientAuthorization syslogs if you use Open or Web Portal authentication. If you are currently relying on these logs from your ZoneDirector to be exported to your Palo/Meraki/etc. appliances, you will be disappointed if you move to SmartZone. There is an open feature request for this issue (FR-3031). This will NEED to be addressed before the ZoneDirector platform is retired. 

The underlying problem is that SmartZone sends the clientJoin (after the client is client associated) and clientAuthorized (after the client is authenticated) syslogs, but does not send any syslogs after the client receives an IP address and “officially joins” the controller. Since there is no IP for a client during the association/authorization process, it makes sense that these syslogs are missing that information. The difference with ZoneDirector is that it doesn’t send these detailed syslogs, but instead sends a single “Operational Add” log that summarizes when a client is added to the controller’s client database, which happens after the client obtains an IP. This seems like a large feature gap that needs to be addressed. 

The SmartZone Alarm and Event Reference Guide is misleading at best, since it indicates that the clientIP attribute should be included in the clientJoin and clientAuthorization syslogs (page 225 and 227). It does not specify that this is only achievable using Open/Web Portal authentication.
(Edited)
Photo of Stephen Hall

Stephen Hall

  • 36 Posts
  • 2 Reply Likes
Thanks for this info nick,  that is good to know/be aware of before hand.  And i agree this is almost a requirement to be added.

I think alot more work needs to be done to vsz syslog data/output - (and standalone syslogs for that matter).  most in the know, use remote syslogs, so the data needs to be detailed and complete (and often can be behind a nat / masq rule, so dont count on src IP IDing the source).  this, and / or ruk needs to allow the customer more syslog options or flexibility.  as an extreme/awesome case, on our axis ip cameras, axis allows advanced customers direct access to the rsyslog.conf file, so the sky is the limit!  They ofcourse dont suggest you edit this, and if you do, they will not support anything related to syslog after edits.  but the option is there.)   
tks
Photo of Andrew Giancola

Andrew Giancola

  • 99 Posts
  • 27 Reply Likes
Yeah, but the impact to one camera isn't the same as a controller which may be hosting 10's of thousands of APs. Mess with a single Axis, and you lose perhaps a single camera as Axis give all customers access to nearly all CONF files on the unit.
In our org, we use both Axis cameras (several hundred units) and Ruckus (several thousand units.), and  I've got my issues with Axis. P1428's and their penchant for rebooting constantly, image ghosting looks which give my surveillance videos a somewhat RETRO FUTURE type vibe.  I've got a few Q3708's and Axis has NEVER been able to fix my issue with camera 1 going black and white suddenly.
As for logs, does change the log you need to Debug help? it's helped us.
Sorry for the rant, I'm up late dealing with an AXIS camera issue as we speak!
Photo of Jeff Baublitz

Jeff Baublitz

  • 4 Posts
  • 0 Reply Likes
We too need this badly.. Hope Ruckus has an update soon...
Photo of Nick Zourdos

Nick Zourdos

  • 28 Posts
  • 5 Reply Likes
This feature is now available as an AP patch, and it should be included in the next major release of SmartZone. You may want to ask support if they can get you the patch, you can reference my case# 00914107. 
Photo of Jeff Baublitz

Jeff Baublitz

  • 4 Posts
  • 0 Reply Likes
Thank you, asking right now. I'll update when I hear back. 
Photo of Jeff Baublitz

Jeff Baublitz

  • 4 Posts
  • 0 Reply Likes
Support confirms this will be addressed in 5.1.2.X. I'll be updating in a month when this is available. Thanks again!
Photo of Andrew Giancola

Andrew Giancola

  • 99 Posts
  • 27 Reply Likes
/[^\d.]60:f8:1d:c2:53:6e/
This is the mac address of my mac book pro. Hope the syntax helps you!
Photo of Thomas Kranzler

Thomas Kranzler

  • 2 Posts
  • 0 Reply Likes
A little.

here's an exert from the vscg syslogs:


2019-09-18 21:32:10 Local0.Info 10.250.10.230 Sep 19 04:32:10 RuckusController1 Core: User[bob] disconnects from WLAN[STAFF] at AP[WAP1] with session data(Client Mac[someMac],Client IP[10.250.24.11],OS Type[iOS],Host Name[pickles],BSSID[some BSSID],User Name[bob],VLAN[24],Encryption[WPA2-AES],Association Time[01 01 00:00:00 1970],Disconnect Reason[client Disconnect],Session Duration[75s],Bytes to User[6679],Bytes from User [21624],RSSI[35],SNR[-70],Client Radio[a/n/ac],AP Location[],AP GPS[])

Here are the PAN settings I'm using:

Event Regex             disconnects

Username Regex     User\ Name([[a-zA-Z0-9\\\._]+])

Address Regex         Client\ IP([[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])




looks good in https://regex101.com/ , but the PAN doesn't seem to parse the logs
Photo of Andrew Giancola

Andrew Giancola

  • 99 Posts
  • 27 Reply Likes
Ahh. so you're not getting the Drop codes 75 seconds from "I'm on the wifi! to "I'm leaving the wifi" is suspect. . Anything fresh from the AP logs directly? Have you grabbed Wireshark Pcaps from the ap? I know your issue is with Syslogs and their lack of verbosity, but I feel like there are some ways around this. Pcap is a great way to find this. Post your Pcap, (Filtering for your mac address of course!) and I'm SURE one of us can figure out the connection issue!
Also, PAN settings? Are you logging to Panorama?
Photo of Andrew Giancola

Andrew Giancola

  • 99 Posts
  • 27 Reply Likes
Also, if you happen to be using a OSX box, the program named CONSOLE can be your friend. as you don't need REGEX to find / filter through AP logs.
Photo of Thomas Kranzler

Thomas Kranzler

  • 2 Posts
  • 0 Reply Likes
Would you mind sharing your regex expressions? i can't seem to get mine to map correctly.