Extreme Networks

cwensink · ‎11-10-2023

We have 8 Extreme Wing AP-7522 AP's running in a small business WLAN, and all of the AP's are dumping messages like this into our logging server:

type: syslog

facility:0

faclity_label: kernal

host: <IP of Access point>

message <6> Sep 10 12:24:49 ACCT-START User-Name:- IPv4-Address:<client ip> Session-Id:2541 Calling-Station:<mac-adress-1> Called-Station:<mac-address-2>

priority: 0

severity: 0

severity_label: Emergency

I ran this message past my Linux admin mentor and he said "the ACCT-START message typically indicates the start of an accounting session in the RADIUS protocol, which is often used for authentication in wireless networks. This is usually a routine message."

So, first I wanted to confirm that this is a routine message, and second how can I change the severity level of these log messages so they don't appear as emergencies?

It's mostly ACCT-STOP messages but there are some ACCT-START messages that have the same severity.

Thanks for the help.

Christoph_S · ‎11-14-2023

Not sure how things are set up at your end since we don't have any visibility into your config but here's a way to changes the logging level in WiNG:

SSH into the controller and run the following command:

#self

#logging buffered ?
<0-7> Logging severity level
emergencies System is unusable (0)
alerts Immediate action needed (1)
critical Critical conditions (2)
errors Error Conditions (3)
warnings Warning conditions (4)
notifications Normal but significant conditions (5)
informational Informational messages (6)
debugging Debugging messages (7)

Select one of the options and save.

Please let us know if this is what you are looking for.

BR,

Christoph S.

cwensink · ‎11-17-2023

I understand how to change the logging level being outputted on the access point, that's not my question.

On the Access points, there are dozens of ACCT-START and ACCT-STOP messages that are coming through, that indicate the start of an authentication session and the end of a session, normal every day traffic, level 6, informational messages.

However, in the log files these events are being sent as level 0 emergency messages, (the highest severity of log), when they really should be level 6. This information is present in the AP and in the centralized logging server I have set up. How do I change the severity of these messages so that they are reported as level 6 informational and not level 0 emergency messages. Here is an example of an entry from today:

host: <ip of AP>

message: <6> Sep 17 11:04:13 ACCT-STOP User-Name:- IPv4-Address: <client ip> Session-Id:1238 Calling-Station:<mac-address-1> Called-Station:<mac-address-2> Packets-In:71 Packets-Out:13 Bytes-In:668 Bytes-Out:1298

priority: 0

severity: 0

severity_label: Emergency

type: syslog

Does that make sense. These log entries are being presented as emergencies when they are not emergencies, I want to change the classification of the event

config:
--virtual-controller-ip-hostname--*>show running-config
!
! Configuration of AP7522 version 5.8.6.7-002R
!
!
version 2.5
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit D HCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-descriptio n "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP l ocal broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 tra ffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP tra ffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos tcp-sequence-past-window
no stateful-packet-inspection-l2
ip tcp adjust-mss 1400
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy <wifi-name>
rate-limit client to-air rate 5000
rate-limit client from-air rate 5000
qos trust dscp
qos trust wmm
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
association-acl-policy <wifi-network>
permit <mac-address> precedence 2
permit <mac-address> precedence 3
permit <mac-address> precedence 4
permit <mac-address> precedence 5
permit <mac-address> precedence 6
(repeat-lines-omitted)
!
wlan <wifi-name>
ssid <wifi-name>
vlan 1
bridging-mode local
encryption-type <omitted>
authentication-type none
no client-client-communication
no fast-bss-transition over-ds
wpa-wpa2 psk 0 <key>
accounting syslog host <syslog-server-ip> port <port>
use wlan-qos-policy <wifi-name>
!
wips-policy default
!
auto-provisioning-policy default
!
!
management-policy default
no telnet
no http server
https server
ssh
user admin password <password> role superuser access all
snmp-server community 0 private rw
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 <password>
snmp-server user snmpmanager v3 encrypted des auth md5 <password>
!
event-system-policy default
!
nsight-policy default
!
profile ap7522 default-ap7522
use enterprise-ui
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan <wifi-name> bss 1 primary
interface radio2
wlan <wifi-name> bss 1 primary
interface ge1
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use event-system-policy default
use firewall-policy default
ntp server 138.236.128.36 autokey
use client-identity-group default
logging on
service pm sys-restart
router ospf
!
rf-domain default
location <location>
contact <admin>
timezone America/Chicago
country-code us
use nsight-policy default
!
ap7522 <mac-address-AP2>
use profile default-ap7522
use rf-domain default
hostname <hostname-AP2>
location default
interface vlan1
description "primary domain"
ip address <ip-address-AP2>/24
!
ap7522 <mac-address-AP3>
use profile default-ap7522
use rf-domain default
hostname <hostname-AP3>
location default
interface vlan1
ip address <IP address-AP3>/24
!
ap7522 <macaddress-AP4>
use profile default-ap7522
use rf-domain default
hostname <hostname-AP4>
location default
ip default-gateway <gateway-ip>
interface vlan1
ip address <ip-address-AP4>/24
!
ap7522 ,<mac-address-AP5>
use profile default-ap7522
use rf-domain default
hostname <hostname-AP5>
location default
ip name-server <name-server-IP>
interface vlan1
description "main network"
ip address <ip-address-AP5>/24
!
ap7522 <mac-address-AP6
use profile default-ap7522
use rf-domain default
hostname<hostname-AP6>

location default
no adoption-mode
interface vlan1
description "main network"
ip address <ip-address-AP6>/24
use auto-provisioning-policy default
virtual-controller
rf-domain-manager capable
logging buffered informational
!
ap7522 <mac-address-AP7>
use profile default-ap7522
use rf-domain default
hostname <hostname-AP7>
location default
interface vlan1
ip address <ip-address-AP7>/24
!
ap7522 <mac-address-AP8>
use profile default-ap7522
use rf-domain default
hostname <hostname-AP8>
location default
interface vlan1
no description
ip address <ip-address-AP8>/24
!
ap7522 <mac-address-AP9>
use profile default-ap7522
use rf-domain default
hostname <hostname-AP9>
location default
interface vlan1
description "main network"
ip address <ip-address-AP9>/24
!
!
end

Extreme Networks

WeSeverity 0 Emergency acct-stop message in syslog

WeSeverity 0 Emergency acct-stop message in syslog