can we do something about the Zonedirector 12xx "remote syslog"

itdept_head_me — Thu, 09 Jul 2020 08:33:35 GMT

Has anyone actually tried intergrating ruckus with something like "WAZUH"
There are two ways to normally intergrate products:
1. An agent... not possible
2. Via the syslog.

Sadly the syslog output from the ZD & wifi points is a complete mess

here is an example of what the remote "wazuh" server recieves...

Jul 9 16:22:23 ZD-APMgr: IPC_thread rcv ping from TACMON
Jul 9 16:22:35 stamgr: tac_del_arp:dev=br0 SIOCDARP failed, errno=6
Jul 9 16:22:35 syslog: eventd_to_syslog():AP[AP11@f0:b0:52:15:d8:f0] radio [11a/n/ac] detects User[yuanhui.zhang@d8:a3:15:ff:5c:83] in WLAN[some Office User] roams out to AP[AP10@f0:b0:52:15:7b:90]
Jul 9 16:22:35 syslog: eventd_to_syslog():AP[AP10@f0:b0:52:15:7b:90] radio [11g/n] detects User[yuanhui.zhang@d8:a3:15:ff:5c:83] in WLAN[some Office User] roams from AP[AP11@f0:b0:52:15:d8:f0]

Jul 9 07:37:48 APMgr@AP08: lwapp_update_role_based_access_pcy_me: attached role based policy_id :0, policy6_id :0 to station me_type=201 84:a1:34:4c:f3:e7

Basically this is complete garbage to parse, if you have multiple systems sending logs...
how to even begin to parse: 16:22:35 stamgr or 16:22:35 syslog: over multiple systems all sending UDP packets...

why can it not be better organised:

EG:

ZD-APMgr: line no {date & time something industry standard},"some standard message format"
then do the same for the AP's

so separated lines can be linked together, when you have multiple feeds & multiple ZD's into the same log server, and the "line no" tells you if the UDP has lost something...

That way the absolute start of the line can be "regex" to a trigger to save processing masses of log data

yep... it's the ZD.. we want it.... good luck with "16:22:35 stamgr or 16:22:35 syslog"

topic can we do something about the Zonedirector 12xx "remote syslog" in ZoneDirector

can we do something about the Zonedirector 12xx "remote syslog"