This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

vSZ syslogs missing client IP address

nickzourdos
Contributor

‎04-01-2019 08:00 AM

We are running into an issue on our vSZ (v5.1.0.0.496) with the clientAuthorization and clientJoin syslogs. Neither of these syslogs contain the clientIP field, which is a problem for customers with security appliances that depend on these syslogs to tie usernames to wireless clients. Strangely, the clientDisconnect syslog does include the clientIP field. 

Is there a way to enable this feature? ZoneDirector syslogs include a field for "sta_ip", which is what we've been using in the past (see THIS thread for context on ZD syslogs in this scenario). The vSZ syslogs are in a completely different format, which is fine, but they are missing this critical information. Here is my vSZ configuration for reference:

Image_ images_messages_5f91c401135b77e247914f4e_f2c093193ba3fb105226208ee548156e_RackMultipart20190401677842k3u-70e1ba96-c840-43d2-ab40-3031e444beb1-709758273.png1554130312
16 REPLIES 16

thomas_kranzler
New Contributor
In response to jeff_baublitz_7

‎09-18-2019 09:10 PM

Would you mind sharing your regex expressions? i can't seem to get mine to map correctly.
0 Kudos

andrew_giancol1
Contributor III
In response to jeff_baublitz_7

‎09-18-2019 09:43 PM

/[^\d.]60:f8:1d:c2:53:6e/
This is the mac address of my mac book pro. Hope the syntax helps you!
0 Kudos

thomas_kranzler
New Contributor
In response to jeff_baublitz_7

‎09-18-2019 09:50 PM

A little.

here's an exert from the vscg syslogs:


2019-09-18 21:32:10 Local0.Info 10.250.10.230 Sep 19 04:32:10 RuckusController1 Core: User[bob] disconnects from WLAN[STAFF] at AP[WAP1] with session data(Client Mac[someMac],Client IP[10.250.24.11],OS Type[iOS],Host Name[pickles],BSSID[some BSSID],User Name[bob],VLAN[24],Encryption[WPA2-AES],Association Time[01 01 00:00:00 1970],Disconnect Reason[client Disconnect],Session Duration[75s],Bytes to User[6679],Bytes from User [21624],RSSI[35],SNR[-70],Client Radio[a/n/ac],AP Location[],AP GPS[])

Here are the PAN settings I'm using:

Event Regex             disconnects

Username Regex     User\ Name([[a-zA-Z0-9\\\._]+])

Address Regex         Client\ IP([[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])




looks good in https://regex101.com/ , but the PAN doesn't seem to parse the logs
0 Kudos

andrew_giancol1
Contributor III
In response to jeff_baublitz_7

‎09-18-2019 11:45 PM

Ahh. so you're not getting the Drop codes 75 seconds from "I'm on the wifi! to "I'm leaving the wifi" is suspect. . Anything fresh from the AP logs directly? Have you grabbed Wireshark Pcaps from the ap? I know your issue is with Syslogs and their lack of verbosity, but I feel like there are some ways around this. Pcap is a great way to find this. Post your Pcap, (Filtering for your mac address of course!) and I'm SURE one of us can figure out the connection issue!
Also, PAN settings? Are you logging to Panorama?
0 Kudos

andrew_giancol1
Contributor III
In response to jeff_baublitz_7

‎09-18-2019 11:46 PM

Also, if you happen to be using a OSX box, the program named CONSOLE can be your friend. as you don't need REGEX to find / filter through AP logs.
0 Kudos
Copyright © 2024 Khoros, LLC