cancel
Showing results for 
Search instead for 
Did you mean: 

vSZ syslogs missing client IP address

nickzourdos
Contributor
We are running into an issue on our vSZ (v5.1.0.0.496) with the clientAuthorization and clientJoin syslogs. Neither of these syslogs contain the clientIP field, which is a problem for customers with security appliances that depend on these syslogs to tie usernames to wireless clients. Strangely, the clientDisconnect syslog does include the clientIP field. 

Is there a way to enable this feature? ZoneDirector syslogs include a field for "sta_ip", which is what we've been using in the past (see THIS thread for context on ZD syslogs in this scenario). The vSZ syslogs are in a completely different format, which is fine, but they are missing this critical information. Here is my vSZ configuration for reference:

Image_ images_messages_5f91c401135b77e247914f4e_f2c093193ba3fb105226208ee548156e_RackMultipart20190401677842k3u-70e1ba96-c840-43d2-ab40-3031e444beb1-709758273.png1554130312
16 REPLIES 16

pasquale_monard
New Contributor III
Hi Nick,

The alarms and events guide posted on the support site for SmartZone mentions the following for ClientAuth and ClientJoin -> "clientIP" .So it should be there. 

Severity must be informational but I believer yours is set to emergency. 

We are receiving the clientJoin syslogs with the current configuration, aren't those sent as part of the "Event Facility" and "Event Filter" settings? I intentionally set the "Application", "Administrator", and "Other" settings to the highest level in order to avoid overrunning our syslog server. Does one of these need to be set to Info in order for the clientIP field to appear? 

nickzourdos
Contributor
Word of warning to anyone else who is looking for this feature: It is not supported in SmartZone (as of v5.1.0) if you are using 802.1x authentication. Client IP addresses are only included in the clientJoin and clientAuthorization syslogs if you use Open or Web Portal authentication. If you are currently relying on these logs from your ZoneDirector to be exported to your Palo/Meraki/etc. appliances, you will be disappointed if you move to SmartZone. There is an open feature request for this issue (FR-3031). This will NEED to be addressed before the ZoneDirector platform is retired. 

The underlying problem is that SmartZone sends the clientJoin (after the client is client associated) and clientAuthorized (after the client is authenticated) syslogs, but does not send any syslogs after the client receives an IP address and “officially joins” the controller. Since there is no IP for a client during the association/authorization process, it makes sense that these syslogs are missing that information. The difference with ZoneDirector is that it doesn’t send these detailed syslogs, but instead sends a single “Operational Add” log that summarizes when a client is added to the controller’s client database, which happens after the client obtains an IP. This seems like a large feature gap that needs to be addressed. 

The SmartZone Alarm and Event Reference Guide is misleading at best, since it indicates that the clientIP attribute should be included in the clientJoin and clientAuthorization syslogs (page 225 and 227). It does not specify that this is only achievable using Open/Web Portal authentication.

stephen_hall_60
Contributor
Thanks for this info nick,  that is good to know/be aware of before hand.  And i agree this is almost a requirement to be added.

I think alot more work needs to be done to vsz syslog data/output - (and standalone syslogs for that matter).  most in the know, use remote syslogs, so the data needs to be detailed and complete (and often can be behind a nat / masq rule, so dont count on src IP IDing the source).  this, and / or ruk needs to allow the customer more syslog options or flexibility.  as an extreme/awesome case, on our axis ip cameras, axis allows advanced customers direct access to the rsyslog.conf file, so the sky is the limit!  They ofcourse dont suggest you edit this, and if you do, they will not support anything related to syslog after edits.  but the option is there.)   
tks