We recently have had a problem with our Aruba wireless controller rebooting. Unfortunately, TAC hasn’t been able to pinpoint the problem with the controller’s logs. They asked us to enable Syslogging to further troubleshoot the issue.
We wrongly assumed that this would be simple. Windows 2008 R2 doesn’t support syslog collection as a feature. Finding an open source option was difficult as well. The most common package is:
Kiwi Syslog Server for Windows
Kiwi has a few demo period but isn’t free or open source. It’s list price is $295.00 at the time of this post.
So after an unreasonable amount of searching we settled on nxLog.
Procedures
- Install nxLog on our Windows server that will collect the logs
- Configure nxLog
- Start nxLog service
- Configure Aruba Controller to send syslogs to server
Step 1 is self explanatory. The distribution is a simple msi file. Run and click through the installation
Step 2: Configuration is done through the nxlog.conf file. On our system, the default installation path was C:\Program Files (x86)\nxlog\conf\
Configuring our options was a little difficult. Most of the documentation is directed towards forwarding the logs onto another server. In our case, we want to collect them. Shown below is our configuration file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_udp Host x.x.x.x Port 514 </Input> <Output out> Module om_file File 'e:\arubasyslogs\output_' + $Hostname + "_" + month(now()) Exec if out->file_size() > 15M { \ $newfile = 'e:\arubasyslogs\output_' + $Hostname + "_" + strftime(now(), "%Y%m%d%H%M%S"); \ out->rotate_to($newfile); } </Output> <Route 1> Path in => out </Route> |
For the extension module block you will keep it at xm_syslog.
The Input block configures where the logs are coming from. You will want to change the host to the ip address of the server collecting the logs. In our case, we used the ip address of our Windows Server 2008 R2 server. In our case the Aruba controller is also sending on port 514. You may need to change this depending on the system sending the logs.
The Output block configures where to send the logs. In our case, we are not forwarding them on, we want to save them to a local hard drive. We configured a folder called ArubaSysLogs on Drive E. The rest of the block is checking to see if the file is greater than 15MB. Once the file exceeds that size, it renames the file and starts logging into a new file.
The last Route block simply states to take input from the input and send to output.
Step 3: Go to your services and start the nxlog service. Note, if you make changes to your nxlog.conf files, you will need to restart your nxlog service.
Step 4: Configure the Aruba controller to send logs to our server.
On the controller, replace your server ip where x is shown below.
|
1 2 3 |
(Aruba) #configure terminal (Aruba) (config) #logging x.x.x.x (Aruba) (config) #end |
Keep in mind that the above example does not delete old logs. You will need to manual cull old logs. You will need to reference the file_remove function.