How capture(send to syslog) the client history using one of those WirelessC5210 , Netsight and OneView(we are using this in or enverioment)

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
How capture(send to syslog) the clients history of a network with 100 APs and 1 Controler, using one WirelessC5210 , Netsight and OneView(we are using these in our enveronment).
I am trying to have a history of the user and its IPs address in their time of use, currently in OneView -> wireless -> client, the events we have are limited for 1000 lines, how export this events for a syslog server. This can be from the C5210 -> reports -> active clients, too.

Thanks in Advance.
Regards,
Andre Paiva.
Photo of Andre Paiva

Andre Paiva

  • 92 Points 75 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Jason

Jason, Employee

  • 3,608 Points 3k badge 2x thumb
Hello Andre, 

You can enable "Send station events" and then collect these client events in NetSight syslog or another syslog.
You will need to configure syslog and also enable "include station events" in the Controller >> Logs Configuration.  I have attached two screen shots that shows the Logs screen and also another screen shot that has an example of the client event messaging (this one happens to be an authentication) 

Hope that helps.  

Regards, 
Jason




(Edited)
Photo of Andre Paiva

Andre Paiva

  • 92 Points 75 badge 2x thumb
Great Jason !
Do you know if it is possible to only capture some kind of events related to the stations ? Like, I don't think the the roam events are necessary to have it logged and registred for future uses.
Photo of Jason

Jason, Employee

  • 3,608 Points 3k badge 2x thumb
Andre, 

You cannot completely filter out all of the client events, but if you uncheck "service" and "audit" messages, you can reduce the amount of logging you will receive. 
 
In case you are not aware of OneView reporting, I wanted to mention that also.  You can collect historical client data in reports, if that would help you.  
This is one example - https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-a-report-that-shows-how-many...

I also have created an article for this subject - https://gtacknowledge.extremenetworks.com/articles/Q_A/Can-ExtremeWireless-client-events-be-sent-to-...

Regards, 
Jason
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
If I unterstand the question correctly... you have a syslog server (not the Netsight one) to collect the information.

Then you should be able to send all events via syslog to Netsight and then create an alarm for a specific message (when a client connects/authenticate) with an action to send a syslog message from Netsight to your other syslog server.

I've tried it with the action email (have no other syslog in my lab) and get this email if my clients connects - in my case I use 802.1X for the SSID and I've used the syslog message "Radius Client Radius Response:  Accepted" to trigger the alarm.


-----Ursprüngliche Nachricht-----
Von: xxx [mailto: XXX] 
Gesendet: Thursday, April 07, 2016 9:14 PM
An: Dvorak, Ronald
Betreff: NetSight Info Alarm: TestClientConnect

Device:  
Severity: Clear
Message: events: Radius Client Radius Response:  Accepted: UserID:dvorakr_iphone, Client MAC:[9C:FC:01:1C:01:D6] 3

-Ron
(Edited)
Photo of Andre Paiva

Andre Paiva

  • 92 Points 75 badge 2x thumb
Thank you everybody.
Another question, I am using the Netsight with Advanced license as the syslog Server, just to confirming that it is not getting doble/duplicated information, as the Netsigh is already as the admin of the controler, is necessary to add its Ipaddres as in the first screen shoot ? in Controller >> Logs Configuration or is just necessary to marked send station Event ?

The goal that the client really need is have the history of the end-stations on the net, the most close that I saw is in OneView -> Wireless -> Client Event ->(or it was end-station and some way expand the history)and filters one cliente to show its history on the network. But Because it only shows 2 hours of a event, in our case we really need a more long time.
They need it because when someone maybe do something illegal on the network, they need to know who was or the laws says that the fault is their(client).

Regards,
Andre.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,514 Points 20k badge 2x thumb
You would be duplicating the traffic if NetSight is your syslog server and you have "Send station session events to NetSight" checked.