Syslog Collector on Windows 2008 R2 for Aruba Controller

We recently have had a problem with our Aruba wireless controller rebooting. Unfortunately, TAC hasn’t been able to pinpoint the problem with the controller’s logs. They asked us to enable Syslogging to further troubleshoot the issue.

We wrongly assumed that this would be simple. Windows 2008 R2 doesn’t support syslog collection as a feature. Finding an open source option was difficult as well. The most common package is:

Kiwi Syslog Server for Windows

Kiwi has a few demo period but isn’t free or open source. It’s list price is $295.00 at the time of this post.

So after an unreasonable amount of searching we settled on nxLog.

nxLog Community Edition

Procedures

  1. Install nxLog on our Windows server that will collect the logs
  2. Configure nxLog
  3. Start nxLog service
  4. Configure Aruba Controller to send syslogs to server

Step 1 is self explanatory. The distribution is a simple msi file. Run and click through the installation

Step 2: Configuration is done through the nxlog.conf file. On our system, the default installation path was C:\Program Files (x86)\nxlog\conf\

Configuring our options was a little difficult. Most of the documentation is directed towards forwarding the logs onto another server. In our case, we want to collect them. Shown below is our configuration file.

For the extension module block you will keep it at xm_syslog.

The Input block configures where the logs are coming from. You will want to change the host to the ip address of the server collecting the logs. In our case, we used the ip address of our Windows Server 2008 R2 server. In our case the Aruba controller is also sending on port 514. You may need to change this depending on the system sending the logs.

The Output block configures where to send the logs. In our case, we are not forwarding them on, we want to save them to a local hard drive. We configured a folder called ArubaSysLogs on Drive E. The rest of the block is checking to see if the file is greater than 15MB. Once the file exceeds that size, it renames the file and starts logging into a new file.

The last Route block simply states to take input from the input and send to output.

Step 3: Go to your services and start the nxlog service. Note, if you make changes to your nxlog.conf files, you will need to restart your nxlog service.

Step 4: Configure the Aruba controller to send logs to our server.

On the controller, replace your server ip where x is shown below.

Keep in mind that the above example does not delete old logs. You will need to manual cull old logs. You will need to reference the file_remove function.

nxLog Reference Manual

Leave a Reply

Your email address will not be published. Required fields are marked *