Only 2 devices in network sending syslogs

Only 2 devices in network sending syslogs

Only 2 devices in network sending syslogs
Only 2 devices in network sending syslogs
2024-07-04 14:15:38 - last edited 2024-07-04 14:17:00
Tags: #Logs #syslog
Hardware Version:
Firmware Version:

In my network, I have 1 gateway, 2 switches and 3 APs.

 

Only the controller & 1 AP are sending logs to the syslog server. I removed the AP that was sending the logs from the controller, by forgetting it thinking that maybe the APs where working as some sort of cluster. But no, no other AP started to send logs in it's place.

 

As soon as I readopted the removed AP, that started sending logs again.

 

The hardware is:

 

1xER8411 v1.0

2xSG3428X-M v1.20

2xEAP670(EU) v1.0

1xEAP610-Outdoor(EU) v1.0

 

Only the EAP610 is sending logs. As well as the controller.

 

Shouldn't I also be seeing logs from the gateway & switches as well as the 2 EAP670s?

  0      
  0      
#1
Options
3 Reply
Re:Only 2 devices in network sending syslogs
2024-07-05 07:12:54

Hi  @mg4455 

Is it convenient to share the server config here?

Additionally, what kind of logs were successfully sent, and what kind of logs were not? It will be better to list some examples combined with Internet activities.smiley

  0  
  0  
#2
Options
Re:Only 2 devices in network sending syslogs
2024-07-05 10:25:51 - last edited 2024-07-05 10:27:29

  @Vincent-TP 

What sort of config are you after here? That of the syslog server?

I'm not sure that's relevant. The syslog server is functioning fine.

 

For the sake of completeness however. I've tried pointing the logs at Splunk, Graylog & Seq. Currently, for simplicity they're being targeted to the syslog server of a Synology box.

 

As for configuration, it's all as follows:

 

Controller: 10.0.0.100

ER8411: 10.0.0.254

Switch1: 10.0.0.253

Switch2: 10.0.0.252

EAP670-1: 10.0.0.50

EAP670-2: 10.0.0.51

EAP610: 10.0.0.52

 

Syslog server: 10.100.0.151

 

Logs are only being sent by: 10.0.0.100 & 10.0.0.52.

 

I'd attach some logs here, but apparently I'm not allowed to upload csv files. Pastebin links are also banned, apparently.

 

As for what logs where successfully sent vs those that where not. I don't know. This is the main focus of the question. Shouldn't all 3 APs at the very least be sending logs to the syslog server?

 

Should the gateway & switches be sending them at all?

 

 

 

  0  
  0  
#3
Options
Re:Only 2 devices in network sending syslogs
2024-07-05 10:30:38

I'll just post the raw CSVs in here.

 

From 10.0.0.100 (controller):

 

Date,Time,Level,Host Name,Category,Program,Messages
05/07/2024,10:14:39,Info,10.0.0.100,local1,1,"2024-07-05T10:14:35.704Z site-name-redacted - - - [client:02-42-AC-10-0B-3B:02-42-AC-10-0B-3B] was disconnected from network ""Docker"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:18m connected, traffic: 0Bytes)."
05/07/2024,10:13:08,Info,10.0.0.100,local0,1,2024-07-05T10:12:38.000Z site-name-redacted - - - DHCP Server allocated IP address 10.0.1.13 for the client[MAC: d8-3a-dd-12-de-c4].
,,,,,,
05/07/2024,10:12:09,Info,10.0.0.100,local1,1,"2024-07-05T10:12:05.684Z site-name-redacted - - - [client:02-42-0A-10-00-1F:02-42-0A-10-00-1F] was disconnected from network ""Monitoring"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:10m connected, traffic: 0Bytes)."
05/07/2024,10:12:08,Info,10.0.0.100,local0,1,2024-07-05T10:11:25.000Z site-name-redacted - - - DHCP Server allocated IP address 10.100.0.8 for the client[MAC: 02-42-63-e4-66-c7].
,,,,,,
05/07/2024,10:11:09,Info,10.0.0.100,local1,1,2024-07-05T10:11:09.254Z site-name-redacted - - - [client:02-42-0A-64-00-FD:02-42-0A-64-00-FD] is connected to [osg:ER8411:5C-E9-31-EC-27-8B] on Server network.
05/07/2024,10:11:09,Info,10.0.0.100,local1,1,2024-07-05T10:11:09.235Z site-name-redacted - - - [client:PiBody:B8-27-EB-90-89-03] is connected to [osg:ER8411:5C-E9-31-EC-27-8B] on Server network.
05/07/2024,10:11:09,Info,10.0.0.100,local1,1,2024-07-05T10:11:09.215Z site-name-redacted - - - [client:Leap:00-16-3E-F4-B5-C8] is connected to [osg:ER8411:5C-E9-31-EC-27-8B] on Server network.
05/07/2024,10:10:38,Info,10.0.0.100,local0,1,2024-07-05T10:10:13.000Z site-name-redacted - - - DHCP Server allocated IP address 10.100.0.7 for the client[MAC: 02-42-0b-3c-4c-74].
,,,,,,
05/07/2024,10:10:14,Info,10.0.0.100,local1,1,"2024-07-05T10:10:13.623Z site-name-redacted - - - [client:NGPOE:E0-46-EE-2D-4E-AC] was disconnected from network ""Infrastructure"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:168h59m connected, traffic: 142.12MB) and connected to network ""Dummy"" on [osw:Switchy2:78-8C-B5-5D-8F-FB]."
05/07/2024,10:10:09,Info,10.0.0.100,local1,1,"2024-07-05T10:10:05.646Z site-name-redacted - - - [client:PiBody:B8-27-EB-90-89-03] was disconnected from network ""Server"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:5m connected, traffic: 0Bytes)."
05/07/2024,10:10:09,Info,10.0.0.100,local1,1,"2024-07-05T10:10:05.631Z site-name-redacted - - - [client:02-42-0A-10-00-22:02-42-0A-10-00-22] was disconnected from network ""Monitoring"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:4m connected, traffic: 0Bytes)."
05/07/2024,10:10:09,Info,10.0.0.100,local1,1,"2024-07-05T10:10:05.613Z site-name-redacted - - - [client:02-42-0A-64-00-FD:02-42-0A-64-00-FD] was disconnected from network ""Server"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:14m connected, traffic: 0Bytes)."
05/07/2024,10:09:39,Info,10.0.0.100,local1,1,"2024-07-05T10:09:35.595Z site-name-redacted - - - [client:02-42-0A-10-00-0D:02-42-0A-10-00-0D] was disconnected from network ""Monitoring"" on [osw:Switchy1:5C-E9-31-99-3D-D9](connected time:4m connected, traffic: 0Bytes)."
05/07/2024,10:09:39,Info,10.0.0.100,local1,1,"2024-07-05T10:09:35.578Z site-name-redacted - - - [client:Leap:00-16-3E-F4-B5-C8] was disconnected from network ""Server"" on [osw:Switchy1:5C-E9-31-99-3D-D9](connected time:4m connected, traffic: 0Bytes)."
05/07/2024,10:08:38,Info,10.0.0.100,local0,1,2024-07-05T10:08:02.000Z site-name-redacted - - - DHCP Server allocated IP address 10.0.1.13 for the client[MAC: d8-3a-dd-12-de-c4].
,,,,,,
05/07/2024,10:07:08,Info,10.0.0.100,local0,1,2024-07-05T10:06:46.000Z site-name-redacted - - - DHCP Server allocated IP address 10.100.0.8 for the client[MAC: 02-42-63-e4-66-c7].
,,,,,,
05/07/2024,10:06:08,Info,10.0.0.100,local0,1,2024-07-05T10:05:39.000Z site-name-redacted - - - DHCP Server allocated IP address 10.100.0.7 for the client[MAC: 02-42-0b-3c-4c-74].
,,,,,,
05/07/2024,10:04:34,Info,10.0.0.100,local1,1,"2024-07-05T10:04:32.741Z site-name-redacted - - - [client:02-C1-3D-F1-50-6C:02-C1-3D-F1-50-6C] was disconnected from network ""Storage"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:3m connected, traffic: 0Bytes) and connected to network ""Server"" on [osw:Switchy2:78-8C-B5-5D-8F-FB]."
05/07/2024,10:04:34,Info,10.0.0.100,local1,1,"2024-07-05T10:04:32.724Z site-name-redacted - - - [client:00-8E-25-79-05-6F:00-8E-25-79-05-6F] was disconnected from network ""Storage"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:56m connected, traffic: 0Bytes) and connected to network ""Server"" on [osw:Switchy2:78-8C-B5-5D-8F-FB]."
05/07/2024,10:04:08,Info,10.0.0.100,local0,1,2024-07-05T10:03:21.000Z site-name-redacted - - - DHCP Server allocated IP address 10.0.1.13 for the client[MAC: d8-3a-dd-12-de-c4].
,,,,,,
05/07/2024,10:03:54,Info,10.0.0.100,local3,1,2024-07-05T10:03:53.726Z PsyNet - - - admin logged in to the controller from 10.0.1.57.
05/07/2024,10:02:37,Info,10.0.0.100,local0,1,2024-07-05T10:02:04.000Z site-name-redacted - - - DHCP Server allocated IP address 10.100.0.8 for the client[MAC: 02-42-63-e4-66-c7].
,,,,,,
05/07/2024,10:01:37,Info,10.0.0.100,local0,1,2024-07-05T10:01:08.000Z site-name-redacted - - - DHCP Server allocated IP address 10.100.0.7 for the client[MAC: 02-42-0b-3c-4c-74].
,,,,,,
05/07/2024,10:01:09,Info,10.0.0.100,local1,1,2024-07-05T10:01:08.316Z site-name-redacted - - - [client:starlight:BC-24-11-F1-9C-06] is connected to [osg:ER8411:5C-E9-31-EC-27-8B] on Server network.
05/07/2024,10:01:09,Info,10.0.0.100,local1,1,2024-07-05T10:01:08.296Z site-name-redacted - - - [client:CRS305:48-A9-8A-28-CD-A9] is connected to [osg:ER8411:5C-E9-31-EC-27-8B] on Infrastructure network.
05/07/2024,10:01:09,Info,10.0.0.100,local1,1,2024-07-05T10:01:08.277Z site-name-redacted - - - [client:Zyxel Switch:BC-CF-4F-73-94-8B] is connected to [osg:ER8411:5C-E9-31-EC-27-8B] on Infrastructure network.
05/07/2024,10:01:09,Info,10.0.0.100,local1,1,2024-07-05T10:01:08.258Z site-name-redacted - - - [client:dockman:BC-24-11-16-93-AE] is connected to [osg:ER8411:5C-E9-31-EC-27-8B] on Server network.
05/07/2024,10:00:59,Info,10.0.0.100,local1,1,2024-07-05T10:00:56.722Z site-name-redacted - - - [client:02-C1-3D-F1-50-6C:02-C1-3D-F1-50-6C] is connected to [osw:Switchy2:78-8C-B5-5D-8F-FB] on Storage network.
05/07/2024,10:00:39,Info,10.0.0.100,local1,1,"2024-07-05T10:00:35.553Z site-name-redacted - - - [client:02-C1-3D-F1-50-6C:02-C1-3D-F1-50-6C] was disconnected from network ""Storage"" on [osw:Switchy2:78-8C-B5-5D-8F-FB](connected time:12m connected, traffic: 0Bytes)."
05/07/2024,10:00:29,Info,10.0.0.100,local1,1,2024-07-05T10:00:26.147Z site-name-redacted - - - [client:02-42-0A-10-00-22:02-42-0A-10-00-22] is connected to [osw:Switchy2:78-8C-B5-5D-8F-FB] on Monitoring network.
05/07/2024,10:00:29,Info,10.0.0.100,local1,1,"2024-07-05T10:00:26.106Z site-name-redacted - - - [client:02-42-AC-10-0B-3F:02-42-AC-10-0B-3F] was disconnected from network ""Docker"" on [osg:ER8411:5C-E9-31-EC-27-8B](connected time:6h59m connected, traffic: 0Bytes) and connected to network ""Docker"" on [osg:Switchy2:78-8C-B5-5D-8F-FB]."
05/07/2024,10:00:29,Info,10.0.0.100,local1,1,2024-07-05T10:00:26.105Z site-name-redacted - - - [client:02-42-AC-10-0B-40:02-42-AC-10-0B-40] is connected to [osw:Switchy2:78-8C-B5-5D-8F-FB] on Docker network.
05/07/2024,10:00:29,Info,10.0.0.100,local1,1,"2024-07-05T10:00:26.053Z site-name-redacted - - - [client:02-42-AC-10-0B-3C:02-42-AC-10-0B-3C] was disconnected from network ""Docker"" on [osg:ER8411:5C-E9-31-EC-27-8B](connected time:6h59m connected, traffic: 0Bytes) and connected to network ""Docker"" on [osg:Switchy2:78-8C-B5-5D-8F-FB]."
 

 

From 10.0.0.52 (EAP610):

 

Date,Time,Level,Host Name,Category,Program,Messages
05/07/2024,10:10:56,Info,10.0.0.52,kern,,AP MAC=9c:53:22:40:68:72 MAC SRC=9c:a5:25:cf:54:e3 IP SRC=10.200.0.121 IP DST=52.49.40.246 IP proto=6 SPT=49866 DPT=80
,,,,,,
05/07/2024,10:10:51,Info,10.0.0.52,kern,,AP MAC=9c:53:22:40:68:72 MAC SRC=9c:a5:25:cf:54:e3 IP SRC=10.200.0.121 IP DST=52.49.40.246 IP proto=6 SPT=49866 DPT=80
[1720174248.410034424] AP MAC=9c:53:22:40:68:72 MAC SRC=9c:a5:25:cf:54:e3 IP SRC=10.200.0.121 IP DST=52.49.40.246 IP proto=6 SPT=49866 DPT=80,,,,,,
[1720174248.480034424] AP MAC=9c:53:22:40:68:72 MAC SRC=9c:a5:25:cf:54:e3 IP SRC=10.200.0.121 IP DST=52.49.40.246 IP proto=6 SPT=49866 DPT=80,,,,,,
[1720174248.600034424] AP MAC=9c:53:22:40:68:72 MAC SRC=9c:a5:25:cf:54:e3 IP SRC=10.200.0.121 IP DST=52.49.40.246 IP proto=6 SPT=49866 DPT=80,,,,,,
,,,,,,
05/07/2024,10:10:46,Info,10.0.0.52,kern,,AP MAC=9c:53:22:40:68:72 MAC SRC=9c:a5:25:cf:54:e3 IP SRC=10.200.0.121 IP DST=52.49.40.246 IP proto=6 SPT=49866 DPT=80
,,,,,,
05/07/2024,10:10:41,Info,10.0.0.52,kern,,AP MAC=9c:53:22:40:68:72 MAC SRC=24:e5:0f:6b:49:f7 IP SRC=10.200.0.28 IP DST=34.77.114.55 IP proto=6 SPT=39364 DPT=11095
,,,,,,
05/07/2024,10:10:36,Info,10.0.0.52,kern,,AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=1
[1720174233.940034417] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=6 SPT=40400 DPT=11095,,,,,,
[1720174234.970034418] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=6 SPT=40400 DPT=11095,,,,,,
,,,,,,
05/07/2024,10:10:31,Info,10.0.0.52,kern,,AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=1.1.1.1 IP proto=1
[1720174227.810034414] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=216.58.212.227 IP proto=6 SPT=65002 DPT=80,,,,,,
[1720174227.810034414] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=216.58.212.227 IP proto=1,,,,,,
[1720174227.810034414] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=6 SPT=65003 DPT=11095,,,,,,
[1720174227.810034414] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=1,,,,,,
[1720174227.820034414] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=1.1.1.1 IP proto=6 SPT=65001 DPT=53,,,,,,
[1720174227.820034414] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=216.58.212.227 IP proto=6 SPT=65002 DPT=80,,,,,,
[1720174228.820034415] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=6 SPT=65003 DPT=11095,,,,,,
[1720174228.820034415] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=1,,,,,,
[1720174228.830034415] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=6 SPT=65003 DPT=11095,,,,,,
[1720174228.840034415] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=1.1.1.1 IP proto=6 SPT=65001 DPT=53,,,,,,
[1720174229.850034415] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=1,,,,,,
[1720174230.870034416] AP MAC=9c:53:22:40:68:72 MAC SRC=38:86:f7:91:4d:39 IP SRC=10.200.0.30 IP DST=35.228.169.253 IP proto=1,,,,,,

 

 

These are not complete logs of course, just a snippet.

 

  0  
  0  
#4
Options