Syslog message format issue - inconsistent and bad formatting for parsing

  • 1
  • Idea
  • Updated 4 weeks ago
  • (Edited)

Our firewall relies on IP= and username= messages


And the Wi-Fi monitoring that enforces compliance with MDM and other things relies on the following messages with the key data in bold.

 

Messages we need from AP’s

Mar 27 17:52:07 10.76.0.88 ah_auth: add new RT sta: MAC=28ed:6a79:1ccd, IP=10.231.5.182, hostname=KG-Iphone, username=KG on wifi0.1

Mar 28 10:12:13 10.75.0.122 ah_auth: add new RT sta: MAC=9800:c68a:558c, IP=10.201.0.50, hostname=iPhone, username=aasly on wifi0.1

  

Mar 28 10:09:13 10.76.0.116 ah_auth: [Auth]STA(64a5:c385:922a) login to SSID(wifi0.1) by user_name=rfarrell

Mar 28 10:09:15 10.75.0.135 ah_auth: [Auth]STA(404e:3689:4bfe) login to SSID(wifi0.1) by user_name=cww

 

Important note:

We currently ignore any of these that contain 0.0.0.0

So if the new system  has a auth message that contains 0.0.0.0, and a separate MAC update IP=fromold (0.0.0.0) IP=to (n.n.n.n) that’s ok, but we need to know and change

Like this

Mar 27 15:43:44 10.77.0.159 ah_trapd: [aaa-6-ah_trapd-#103003]Station 60f4:450d:4d83 was authenticated on c413:e26c:4764 through SSID M-WIFI vid 32.

Mar 27 15:55:20 10.77.0.159 ah_trapd: [aaa-6-ah_trapd-#103004]The IP address of station 989e:6334:acd0 changed from 10.37.10.171 to 10.37.10.171.

 

#103003 Does not have a userid, rendering it USELESS

And we need to be able to distinguish between the old syslog messages and the new ones, as older AP’s cannot be upgraded so we need to process both in different ways. (the change to ah_trapd: is good enough for this)

 

These new messages are still really hard to parse (although if they have a unique ID and a common format for each message id it helps) (documentation would be useful)

It is much easier to parse field=value delimiter field=”value” delimiter type messages (especially where the delimiter is unique | for example)

 

Mar 27 15:55:20 10.77.0.159 ah_trapd: [aaa-6-ah_trapd-#103004]The IP address of station 989e:6334:acd0 changed from 10.37.10.171 to 10.37.10.171.

Could be

Mar 27 15:55:20 10.77.0.159 ah_trapd: [aaa-6-ah_trapd-#103004]The IP address of station changed,  MAC=989e:6334:acd0, OLDIP=10.37.10.171, NEWIP=10.37.10.171.

or

Mar 27 15:55:20 10.77.0.159 ah_trapd: [aaa-6-ah_trapd-#103004]“The IP address of station changed”|MAC=989e:6334:acd0|OLDIP=10.37.10.171|NEWIP=10.37.10.171.

 

Any of these would make the syslog messages much easier to handle in any kind of SIEM / processing system


 

Messages that are useful OS Detection

ah_auth with OS

 

Messages that are key to Rogue AP / Client auth / detauth detection


Mar 28 10:18:07 10.75.1.1 capwap: A rogue client 4c57:ca45:8d0f connected to rogue AP cc33:bbff:09bd is detected.

Mar 28 10:18:07 10.75.0.255 capwap: A rogue client 4c57:ca45:8d0f connected to rogue AP cc33:bbff:09bd is detected.

Mar 28 10:18:08 10.75.0.135 capwap: A rogue client c4f0:8140:217e connected to rogue AP 0011:74dd:1643 is detected.

Mar 28 10:18:25 10.75.0.222 capwap: A rogue client e404:397e:c01d connected to rogue AP 40f3:0887:52e3 is left.

Mar 28 10:18:33 10.75.0.67 capwap: A rogue client 020f:b560:f023 connected to rogue AP ec22:80a6:b6b8 is left.

 

Mar 28 10:20:34 10.76.0.50 ah_dcd: IDP: AP b8ee:0edd:6fee detected, Detector AP(Cotton-2nd-Dorm-AH-1a8840) 10.76.0.50, Type rogue, CH 11, RSSI -90, SSID BTHub6-QXFZ, ENC wpa, Reason ( oui )

Mar 28 10:20:34 10.77.0.51 ah_dcd: IDP: AP 00e0:4c52:57f8 detected, Detector AP(Music-AH-5d5940) 10.77.0.51, Type rogue, CH 6, RSSI -96, SSID Ellis Tech, ENC wpa, Reason ( oui )

Mar 28 10:20:34 10.75.1.1 ah_dcd: IDP: AP 7050:afd5:1d12 detected, Detector AP(Wykeham-First-AH-8835c0) 10.75.1.1, Type rogue, CH 6, RSSI -77, SSID SKYAE27F, ENC wpa, Reason ( oui )

Mar 28 10:20:35 10.76.0.105 ah_dcd: IDP: AP d04d:2c28:23d9 detected, Detector AP(Summerfield-AH-83b540) 10.76.0.105, Type rogue, CH 36, RSSI -69, SSID , ENC wpa, Reason ( oui )

 

 

 

Photo of Marlborough College

Marlborough College

  • 1 Post
  • 0 Reply Likes
  • sad

Posted 4 weeks ago

  • 1

There are no replies.