syslog: message from which AP?

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I've set up a syslog server, and am successfully receiving logs from all my APs. My question is, how do I know which AP a particular message is from?

I'm getting reports of dropped connections in a certain area, so I'd like to see messages from particular APs to try and hunt down the problem.
Photo of Thomas Gay

Thomas Gay

  • 9 Posts
  • 0 Reply Likes
  • confused

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Normally you would know based on the source IP address at the Syslog server.
Photo of Thomas Gay

Thomas Gay

  • 9 Posts
  • 0 Reply Likes
The source IP is not displayed. Here is an example, in raw format:

[Facility local7] [Sender ] [PID wifi] [Message wifi1.2: suppress request from ec:35:86:95:fb:d5, reason taken-by-nbr] [Level 6] [UID -2] [GID -2] [Host kernel:] [Time 1398920637] [ReadGID 80]
 


Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The Syslog server is privy to that IP address when it receives log entries, so the issue is with the Syslog server that you are using not recording the information that you need.

To solve this therefore, either change its configuration to log appropriately or use something else that can if that is not possible.
(Edited)
Photo of Thomas Gay

Thomas Gay

  • 9 Posts
  • 0 Reply Likes
Installed spunk and confirmed your suggestion. I was using the syslog server built into Mac OS X, and it looks like it doesn't record the IP of remote senders. Thanks!
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thomas, it's been ages and ages since I last tried using the syslog built into Mac OSX, but I vaguely recall seeing the same as you. If I remember correctly, instead of moving to an alternative server as you did, I think I adjusted the Mac syslog so that each reporting device got logged to a separate file.