Cisco Wireless Lan Controller parser (based on syslog daemon connector)


Cisco documents quite a lot of messages for this device, but very few are useful for security analysis and the description of these messages is not always very obvious (and even sometimes wrong). This is why we've built this parser in a "parse what you see" mode - we didn't rely on the manual to get the full list of messages. Hence, consider this parser as a starting point, but not as a definitive solution for parsing all WLC events.


Version 0.1 : initial development

Version 0.2 : fix to support newer versions of the WLC (logging format has slightly changed)

Version 0.3 : fix to support parsing of some messages (reported by Myles Powers)

Version 0.4 : fix to avoid dstprotector (no more usage of deviceExternalId)

Comment List
  • A new version is available (0.4) as I've discovered dstprotector prevents you from having more than 10 values for deviceExternalId

  • Thanks. There was a typo in the parser which is now fixed. Your messages should be parsed now.

    I also recommend tuning on the "Generate unparsed events" parameter in your connector, so that you can monitor the amount of unparsed events and possibly generate correlation events or keep this number in a trend report.

  • We still get a few (very few) events that do not pass the initial regex. I'm not sure why it looks like it should work. Ive also added a few additional submessages and categories.

    wlc-om1-1: *spamReceiveTask: Sep 17 12:41:32.296: %LWAPP-1-AP_CONTAINED: spam_lrad.c:27637 AP wap-om1-9w is being contained on slot 0

    wlc-cdc-1: *spamReceiveTask: Sep 17 17:40:44.755: %LWAPP-3-REPLAY_ERR: spam_lrad.c:25413 Received replay error on slot 1, WLAN ID 1, count 8 from AP fc:fb:fb:6b:13:60

    wlc-cdc-1: *spamReceiveTask: Sep 17 17:38:44.754: %LWAPP-3-REPLAY_ERR: spam_lrad.c:25413 Received replay error on slot 1, WLAN ID 1, count 1 from AP fc:fb:fb:6b:13:60

    wlc-cdc-1: *spamReceiveTask: Sep 17 17:36:44.753: %LWAPP-3-REPLAY_ERR: spam_lrad.c:25413 Received replay error on slot 1, WLAN ID 1, count 29 from AP fc:fb:fb:6b:13:60

    wlc-om1-1: *spamReceiveTask: Sep 17 12:35:51.119: %LWAPP-1-AP_CONTAINED: spam_lrad.c:27637 AP wap-om1-8w is being contained on slot 0

  • Thanks vip, nice work. It's great that you spent the time to do categorization as well. Very few seem to understand how much that helps.

  • It should be fixed. You can now use this new version (0.2) and it shouldn't require any change to your (at least with recent SmartConnector versions : ArcSight has fixed the bug we reported in their cisco router parser).

  • Yes, the connector does appear to read the file when it starts. It also gave a message about conflicting with generic_syslog. When I remove generic syslog from the list it goes to a "passthrough_syslog" which is not in the list of subagents. It's very strange I do not get any regex warning messages in the agent.log unless I purposely change regex statement so it does not match.

    [2012-09-03 20:15:23,092][INFO ][][addToZip] Adding [/opt/arcsight/connector_3/current/user/agent/flexagent/syslog/]
    [2012-09-03 20:22:50,177][INFO ][][pushUserFiles] Decompressing [/opt/arcsight/connector_3/current/user/agent/flexagent/syslog/]
    [2012-09-03 20:23:52,445][INFO ][][getInputStream] Resource [syslog/] not found
    [2012-09-03 20:23:52,445][INFO ][][getInputStream] Resource [syslog/] not found (AUP file ignored)
    [2012-09-03 20:23:52,446][INFO ][][customInitialization] customInitialization() - read properties from file [/opt/arcsight/connector_3/current/user/agent/flexagent/syslog/].
    [2012-09-03 20:23:52,467][INFO ][][init] Successfully Parsed properties from file [syslog/cisco_wlc.subagent]

  • Myles, I have the same issue after upgrading our WLC : the log format has changed slightly (some text is present between the first "*" and the date). I'm currently busy trying to fix the regex and will update this one when I have found a satisfying solution.
    Thanks for reporting !

  • You should check if the file is picked up when the first event from the WLC is received by the connector (you should see log lines talking about it). If it's seen as a generic syslog (unix) try to remove the generic subparser from the custom list of subparsers (in the file). Make sure the second line is in the to activate your modification to the list of subparsers. The categorization file shouldn't have any influence on your subparser : if it is wrong or at the wrong location, events should still be correctly parsed.

  • I'm not able to get this one working.

    Renamed the subparser to cisco.subagent...and placed the file in ./current/user/agent flexagent/syslog. Also installed the categorizer that was included. Removed and made the edits to Restarted but, it still sees the events as generic syslog.

    Any Ideas?

  • Hi Aleh,

    It has been tested with a WLC4402-K9 but is indeed probably usable as long as the operating system is the same (IOS 5.2 in our case). Note this flexConnector ony handles syslog messages and not SNMP traps.

    As mentioned, we only parse a subset of the WLC events and only the ones security-related. Device health status messages have especially not been taken into account. However, if you need them, these messages can be added to the parser.

    A very useful reference for WLC messages can be found here :