Cloud base syslog server

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Just wanted to find out if anyone has ever setup their AP to send logs to a cloud base syslog service provider. I have a client who has APs on totally unconnected networks but was hoping to have a centralised logging.

I came across this site (papertrailapp.com) and was interested in the idea of sending the logs to a cloud syslog server. However I was trying to send the logs over but there was no logs sent at all.

Can anyone help to recommend a cloud base syslog service that might work with Aerohive APs?
Photo of Johnny Loh

Johnny Loh

  • 19 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Have you considered that syslog is totally unencrypted and has no reliability guarantees, so it is usually considered unsuited to going across the general Internet. It is normally intended as a local debugging tool only.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
agree with Nick

"Syslog has been traditionally sent to port 514 using UDP.

UDP is a connectionless protocol, hence unreliability is inherent. There is no acknowledgement, error detection, sequencing or retransmission of missed packets when sending syslog messages over the UDP protocol."

Although there are some versions that can use TCP

the issue is in the clear.

so some sort of vpn would be required
Photo of Johnny Loh

Johnny Loh

  • 19 Posts
  • 0 Reply Likes
Hi all,

Thank you for your feedback, security part (or rather no security) was already taken into consideration. As this is a public wifi deployment, the end user main concern was just allowing connectivity and knowing whats going on within the traffic.

The main issue here is that the APs under a single Hive, are connected to the net via different providers. At the same time they are on totally unconnnected networks.

They needed a solution to centrally collect the logs generated by these APs. Which brings me to a cloud base syslog service.

I was playing with papertrail, they assigned me a customised port of 11572 rather than 514. At this moment, the they are plagued with performance issues (which is not surprising)
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Hi Johnny Loh

Does not seem like there is a lot out there for this sort of setup.

The hive does collect logs, but I am not sure of the limitations, You might want to contact Aerohive Sales to see if they can provide you with some options for collecting logs.

Maybe an onsite Hive at one location, and having all the remote APs phone home.

This section only appears in the HiveManager home system.

With this option, you can enable HiveManager to act as a log server for managed devices. To view the logs stored on HiveManager, you must either download the Tech Support data or perform a full backup. Then expand the ah_logs.tar.gz file and open it with a text editor.

To set up HiveManager as a syslog server:

Enter the following, and then click the Update button at the top of the page:

Update Log Server Settings: (select)

Enable HiveManager as a log server: (select)

Select Allow special remote syslog entry to restrict the source of syslog entries to specific subnets. Then, click Add, enter the IP address and netmask to define a subnet, and click Apply. Repeat this to add more subnets that you want to permit.

To allow syslog entries from any IP address, select Allow any remote syslog entry.

Click Configuration > Advanced Configuration > Management Services > Syslog Assignments > New, enter the following, and then click Save:

Name: Enter a name for the syslog assignment, such as "HiveManager-Syslog". The name can be up to 32 characters long and cannot contain spaces.

Facility: Choose any facility. The default is Local6.

Description: Enter a useful description for the syslog server.

Enter the following and then click Apply:

Syslog Server: HiveManager-IP-Address

Severity: Choose the severity level of the messages that you want to store in syslog. The level you select will save messages for that level and all levels above it.

Description: Enter a useful comment about the configuration. It can be up to 64 characters, including spaces.

Click Configuration > WLAN Policies > policy_name: In the Syslog Server drop-down list on the Optional page, choose the syslog assignment name you defined previously, such as "HiveManager-Syslog".
Push the configuration to the managed devices.

To view syslog entries:

Click Home > Administration > HiveManager Operations > Tech Support Data > Save.
Expand the ah_logs.tar.gz file.
Use a spreadsheet application such as Microsoft Excel to open the "hiveos.log" file in the "remote" directory.

You can also see the saved syslog data when you do a full backup of the database and expand the ah_logs.tar.gz file inside the ah_backup_.tar.gz file.
Photo of Johnny Loh

Johnny Loh

  • 19 Posts
  • 0 Reply Likes
Hi Andrew,

Many thanks for your great help. Unfortunately, for this end user they were using the HMOL, rather than a "LAN" hive.

I was playing a bit with the events settings of the HMOL, I realised it has the settings to keep logs up to 60 days. Thats cool.

Knowing that, I just wished that the dashboard would have the ability to correlate the attack log messages and present these on the dashboard as well. That would be really awesome!!!
Photo of Jade Rampulla

Jade Rampulla

  • 36 Posts
  • 1 Reply Like
I agree with Nick. Syslog is better as a debugging tool. I've been sending debug level syslog messages from 40 AP's to a syslog server for several months and I almost never use the logs. It's a good thing I purge logs older than 30 days because even with filtering out some of the logs with unimportant data, there's about 2 million log messages. There would be around 3 million without the filtering. I'm sure there would be less if I used a lower syslog level. I found the lower levels don't have much useful info.

If you're hell bent on syslog, fire up your own syslog server on a public IP (Or internal IP with port forwarding) and only accept syslog from the WAN IP's of your other sites. Most free syslog servers log to a flat text file and searching isn't practical with over 10,000 entries. Cloud and enterprise logging servers will cost you a fortune in the long run. I use syslog-ng with a MySQL backend so there's indexing and much faster searching...and it's all free!

The full syslog-ng documentation is here:

http://www.balabit.com/sites/default/...

There's good info on a basic setup here:

https://wiki.archlinux.org/index.php/...

There's good info on sending syslog-ng directly to MySQL without a pipe here:

http://forums.freebsd.org/showthread....

The type of info I really want for typical troubleshooting isn't in a usable format with syslog entries. For example a user says their laptop and cell phone work great in one location but the cell phone can't get internet access in another area while the laptop can. Syslog usually isn't much help for me.

The event log has a ton of great info, but the filtering in HMOL is terrible...it refreshes too fast with events from 40 AP's, I can't pause the live view, and I can't export a specific set of logs for Aerohive support or email purposes. All I can filter on is an Aerohive AP MAC address, a "component" (auth, wifi, VPN, interfaces) and a time...that's not good. I wrote a tool to access the internal PostgreSQL table (Requires an onsite virtual appliance), but it's not in a good "release-able" format...working on it though. There's so much more info in the internal database that's searchable like username, IP, client MAC address, host name, VLAN, user profile attribute, AP name, and the event message itself.

Using my tool on my previous troubleshooting issue, I can easily query the internal DB for the client username (Since we use RADIUS authentication) and see that the cell phone got an IP address in one location but got a self assigned 169.254.x.x IP address in the other location. Assuming the laptop and cell phone should be on different VLAN's, my query could lead me to a solution much faster...VLAN missing from the port the AP is connected to, DHCP relay not configured in a different part of the network, etc.
Photo of Johnny Loh

Johnny Loh

  • 19 Posts
  • 0 Reply Likes
Hi Jade,

Thank you for your feedback. Perhaps the clearer message here was to request that the hivemanager (since it actually collect logs) have some form of SIEM capabilities on its own APs.

The most obvious being to correlate the various attack related logs and making readable reports out of it. I am fully aware that maybe this should not be the role of the HIvemanager. But since it is the central management point of all the APs, it might really make a lot of sense.
Photo of Mark Frater

Mark Frater

  • 1 Post
  • 0 Reply Likes
https://logentries.com/ have a cloud based syslog service with an https based API that you can use to pull information back down.