Wireless LAN Controller (WLC)
Cisco WLC is a family of devices that manage wireless network access points to allow wireless devices to connect to the network.
App Function
This app has two functions: first, it identifies log messages with
Cisco mnemonic APF-3-AUTHENTICATION_TRAP and from those messages
parses certain data fields which are used to set user tags. Second,
the app removes superfluous "It occurred N times" text from the
log message in order to facilitate event deduplication.
Vendor Documentation
- Cisco Wireless LAN Controllers
- What is a WLAN Controller?
- System and Message Logging
- Syslog Server Configuration on Wireless LAN Controllers
Incoming Log Format
Cisco WLC logs are syslog logs in the standard Cisco IOS log format (see the Cisco appstore app documentation for more). These logs are first processed by the Cisco IOS app to normalize them (by removing date-timestamp and mnemonic) and then arrive at this Cisco WLC app, with text composed of a short message explaining the logged event, along with associated data elements. This text is not in any common pattern from one event type to the next, and the data is not delimited in any way. Consequently it requires an understanding of the message template for each different Cisco event type (mnemonic) in order to parse the associated data.
Parsed Metadata Fields
As mentioned, this app only parses data fields for a single message
type: messages with mnemonic APF-3-AUTHENTICATION_TRAP. From
the data contained within those messages the following user tags are
generated:
| User Tag Name | Example | High Cardinality? |
|---|---|---|
Client MAC |
11:22:33:44:cc:dd |
☑ |
Client AP MAC |
11:22:33:44:aa:bb |
☑ |
Client Username |
xxx\prov-abcd$ |
☑ |
Client IP |
11.22.33.44 |
☑ |
Client SSID |
XYZ-Secure |
☑ |
Log Examples
Client Authenticated
apf_80211.c:21442 Client Authenticated:
MACAddress:11:22:33:44:cc:dd Base Radio MAC:11:22:33:44:aa:bb Slot:1
User Name:xxx\\prov-abcd$ Ip Address:1.2.3.4 SSID:MSU-Secure
Message Queueing Failed
osapi_msgq.c:940 Failed to send a message to the message queue
object: RogueApInfoChangedDB. enqueue failed.[...It occurred 9 times.!]
Source MAC Address Not Found