cancel
Showing results for 
Search instead for 
Did you mean: 

ZD syslog / AP syslog - how useful?

stephen_hall_60
Contributor
Ive was looking forward to sending useful syslog messages from our ZD which manages ~280 APs at 4x different buildings into our new Splunk setup.  However i think im missing something and was hoping for some help or others experiences:

1-  The syslogs from the Managed APs do not contain the APs "device-name" (ie get device-name) , i do see the APs private IP address (as splunk is adding the host to each message).  However, How am i supposed to know which AP/building/area a message is related to.  (or for search / history purposes).  Every syslog source i use either includes the devices' name or allows the user to set the name to be included.

2-  on the ZD if i set the Remote Syslog -> "Managed Ap Settings" to Priority Level="Err" (error) , i do get useful messages, however 99% of the messages are "lwapp_send_pkt(6423), sends packet out with length: 1321"  at a rate of about 200 of those per minute. 

now if  set "Managed Ap Settings"  -> to Priority Level=Critical , i get 0 messages from the APs (even after 2 days of running at the Critical setting).

I know users are using remote syslog with their ZD setup,  so can anyone provide their experiences or info maybe?  

I really hope this post can get a reply (or even someone confirming this is the way it is),  i have yet to get any replies to nearly 20 posts across 5 months here on the forums.  

Thanks!

(im also about to start adding some new APs to our vSZ so will report on how syslog works on that newer platform)

( for those that see this in the future-  a rough workaround would be to have Splunk drop any input with "lwapp_send_pkt"  or i have even tested using a mikrotik with /firewall filter content="lwapp_send_pkt"   to filter out the syslog msgs as they are ofcourse not encrypted,  but there has be a better way for those who use syslog with ZD / Ruckus.)
0 REPLIES 0