Ive was looking forward to sending useful syslog messages from our ZD which manages ~280 APs at 4x different buildings into our new Splunk setup. However i think im missing something and was hoping for some help or others experiences:
1- The syslogs from the Managed APs do not contain the APs "device-name" (ie get device-name) , i do see the APs private IP address (as splunk is adding the host to each message). However, How am i supposed to know which AP/building/area a message is related to. (or for search / history purposes). Every syslog source i use either includes the devices' name or allows the user to set the name to be included.
2- on the ZD if i set the Remote Syslog -> "Managed Ap Settings" to Priority Level="Err" (error) , i do get useful messages, however 99% of the messages are "lwapp_send_pkt(6423), sends packet out with length: 1321" at a rate of about 200 of those per minute.
now if set "Managed Ap Settings" -> to Priority Level=Critical , i get 0 messages from the APs (even after 2 days of running at the Critical setting).
I know users are using remote syslog with their ZD setup, so can anyone provide their experiences or info maybe?
I really hope this post can get a reply (or even someone confirming this is the way it is), i have yet to get any replies to nearly 20 posts across 5 months here on the forums.
(im also about to start adding some new APs to our vSZ so will report on how syslog works on that newer platform)
( for those that see this in the future- a rough workaround would be to have Splunk drop any input with "lwapp_send_pkt" or i have even tested using a mikrotik with /firewall filter content="lwapp_send_pkt" to filter out the syslog msgs as they are ofcourse not encrypted, but there has be a better way for those who use syslog with ZD / Ruckus.)