Aerohives with remote syslog, swatch log monitoring software - what strings should I watch for?

  • 1
  • Question
  • Updated 4 years ago
  • Answered
We use swatch rather extensively to monitor various logs for specific strings or regular expressions that indicate a problem, and perform an action such as emailing, paging, restarting a service, etc. based on the string. 

For example, if any of our routers have failed login attempts, swatch notices because of the word FAILED in the log file, and emails me the relevant log line.

I have the aerohives logging at Notification level to our syslog server.

What would be a good set of phrases/strings to watch for from the Aerohives? I want to be notified of potential security breaches, potential hardware failure, whatever seems important.

I know the Aerohives do have an email notification system, but I wasn't happy trying to dial it in. This would work much better in our environment.

Thanks for any suggestions!
Photo of Daniel Jacobs

Daniel Jacobs

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
If you use RADIUS, tracking the phrases "The RADIUS server accepted" and "The RADIUS server rejected" can be useful. One thing that I've found to be a hassle when processing Aerohive syslogs is their inconsistency. Often multiple daemons will report the same information. In addition, some daemons report MACs in xxxx:xxxx:xxxx format, and others use xx:xx:xx:xx:xx:xx. Some daemons report themselves as (e.g.) radiusd[1630] and others just ah_top. There's a ton of good syslog data, but it can be somewhat difficult to parse.

edit - most data is logged at either info or warn, I believe. I collect at info+ and drop the amrp proxy messages before writing logs.