Cisco Aironet Integration for Elastic

The Cisco Aironet integration for Elastic enables you to collect and analyze logs from Cisco Wireless LAN Controllers (WLC). This allows you to centralize the monitoring of wireless network activities, providing deep visibility into the health and security of your wireless infrastructure. By ingesting system messages, you can track client events, hardware status, and security alerts within the Elastic Stack.

This integration is compatible with the following third-party vendor versions:

• Cisco Aironet Wireless LAN Controllers (WLC) running AireOS firmware.
• Supported hardware including the Cisco 2504, 3504, 5508, 5520, and 8540 series controllers.

This integration is compatible with Elastic Stack version 8.11.0 or later.

This integration collects logs from Cisco Aironet devices by receiving syslog data over the network or by reading directly from log files. You can deploy an Elastic Agent on a host and configure it as a syslog receiver using the udp or tcp input, or point it to a specific log file using the logfile input. Once configured, the agent forwards the system messages, authentication events, and network status updates to your Elastic deployment, where they are mapped to the Elastic Common Schema (ECS) for analysis.

The Cisco Aironet integration collects log messages of the following types:

• System messages: These include process status, hardware alerts, and system-level events generated by the Wireless LAN Controller (WLC) software.
• Network events: These logs relate to wireless protocol transitions, interface status changes, and DHCP or Spanning Tree Protocol (STP) events.
• Security logs: These records cover authentication events for RADIUS and TACACS+, unauthorized access attempts, and configuration audit trails.

The integration provides the log data stream to capture these events. Depending on how you configure the input, it collects data in the following ways:

• UDP or TCP input: Collects Cisco Aironet logs sent over the network.
• Logfile input: Collects logs from a file when they're written to a local disk or a shared mount point.

All collected logs are mapped to the Elastic Common Schema (ECS), supporting standard Cisco system message formats received using Syslog (RFC 3164/5424) or read directly from local log files.

Integrating Cisco Aironet logs with Elastic provides visibility into your wireless network infrastructure. You can use this integration for the following:

• Security monitoring: You'll be able to track authentication successes and failures to identify potential unauthorized access attempts or credential issues.
• Network troubleshooting: You can monitor interface status changes and protocol transitions to diagnose connectivity problems or hardware alerts.
• Audit and compliance: You can maintain a searchable history of configuration changes and system events to meet regulatory requirements and internal audit needs.
• Operational visibility: You'll gain insights into the health of your WLC software and hardware components through system-level event tracking.

To use this integration, you need the following from your Cisco Wireless LAN Controller (WLC) environment:

• High-level administrative credentials (GUI) or Enable-level access (CLI) on the Cisco WLC.
• Network connectivity that permits traffic from the WLC IP addresses to the Elastic Agent host on the configured port (default is 9009) using TCP or UDP.
• Software licenses on the WLC that support remote syslog forwarding.
• NTP configured on the Cisco WLC to ensure timestamps in logs are accurate and align with your Elastic Stack environment.

You also need the following Elastic Stack components:

• Elastic Stack version 8.11.0 or later.
• An Elastic Agent installed on a host reachable by the Cisco WLC and successfully enrolled in Fleet.
• An Elastic Agent policy that includes the Cisco Aironet integration.
• The target port (for example, 9009) open on the host running the Elastic Agent and not currently bound by another service.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed using the integration's ingest pipelines.

You can configure your Cisco Aironet Wireless LAN Controller (WLC) to send logs to the Elastic Agent host using either the web interface or the command line.

Follow these steps to configure syslog using the Cisco WLC web administration interface:

1. Log in to the Cisco WLC web administration interface.
2. Navigate to Management > Logs > Config.
3. In the Syslog Servers section, locate the next available slot (up to 3 servers can be configured).
4. Enter the Syslog Server IP Address. This is the IP address of the host where the Elastic Agent is installed.
5. Click Add.
6. Configure the Syslog Level (Severity) from the drop-down menu. It's recommended to select Informational (Level 6) for production monitoring.
7. Configure the Syslog Facility from the drop-down menu. The default is Syslog (Facility level 5).
8. Click Apply in the top right corner to save the active configuration.
9. To ensure the settings persist after a reboot, click Save Configuration at the top of the page.

Follow these steps to configure syslog using the command line interface:

1. Connect to the WLC using SSH or Console.

2. Enter the command to add the Elastic Agent as a syslog host (up to 3 servers can be configured): config logging syslog host <Elastic_Agent_IP> (replace with your actual value)

3. Set the desired severity level (only messages with severity equal to or less than this level will be sent): config logging syslog level <severity_level>

4. (Optional) Configure the syslog facility if required for filtering: config logging syslog facility <facility_code>

5. Save the configuration to ensure settings persist after a reboot: save config

For more information on configuring syslog on Cisco devices, refer to the following documentation:

• Configure Syslog Server on Wireless LAN Controllers - Cisco

To set up the integration in Kibana, follow these steps:

1. In Kibana, navigate to Management > Integrations.
2. Search for Cisco Aironet and click Add Cisco Aironet.
3. Follow the prompts to add the integration to an Elastic Agent policy.
4. Configure the available input types based on your vendor setup.

Choose the setup instructions below that match your configuration. The input type should correspond to how you configured your Cisco Aironet to send logs in the vendor setup steps above.

Use this input if you configured your WLC to send logs over a TCP socket. You can configure the following settings:

Use this input if you configured your WLC to send logs over a UDP socket. You can configure the following settings:

Use this input to collect logs directly from log files on the host where the Elastic Agent is running. You can configure the following settings:

After configuring the inputs, click Save and continue to deploy the configuration to the Elastic Agent.

To verify that the integration is working properly and data is flowing into Elasticsearch, follow these steps.

First, trigger data flow on the Cisco Aironet device by performing one of the following actions:

• Authentication event: Attempt to log into the WLC web interface or CLI with an incorrect password, then log in successfully to generate authentication logs.
• Configuration event: Enter configuration mode in the CLI (config t) and then exit (exit) to trigger a configuration audit event.
• Interface/AP event: Power cycle an Access Point or toggle a test interface status using the shutdown and no shutdown commands to trigger join or disassociation messages.

Next, check for data in Kibana:

1. Navigate to Analytics > Discover.
2. Select the logs-* data view.
3. Enter the KQL filter: data_stream.dataset : "cisco_aironet.log"
4. Verify that logs appear in the results. Expand a log entry and confirm these fields are populated:
   • event.dataset (should be cisco_aironet.log)
   • event.action or log.syslog.priority
   • message (the raw log payload)
5. Navigate to Analytics > Dashboards and search for "Cisco Aironet" to view pre-built visualizations.

For help with Elastic ingest tools, check Common problems.

The following are common issues you might encounter when configuring the Cisco Aironet integration:

• Port mismatch: Cisco WLCs are frequently hardcoded to send syslog over UDP port 514. If the integration is left at the default 9009, no data is received. Ensure the integration's listen port matches the port the WLC is actually using.
• Firewall blocking: Local host firewalls like iptables or firewalld, or network firewalls, may block UDP traffic on port 514 or 9009. Verify connectivity using tcpdump or nc -u -l 514 on the agent host.
• WLC syslog level: If no logs appear, check that the WLC syslog level is not set too high (for example, to Critical only). Set it to Informational to ensure enough data is generated for verification.
• AP global configuration: If WLC logs arrive but Access Point logs do not, ensure the AP remote syslog host IP is specifically set in the Wireless > Global Configuration section.
• Ingestion parsing failures: If logs are ingested but contain the _grokparsefailure tag, the syslog format from the WLC may be non-standard. Check the event.original field to see if the message matches the expected Cisco format.
• Syslog format mismatches: Cisco WLCs can sometimes include or exclude sequence numbers or timestamps. Ensure the WLC is configured to send standard system messages without excessive custom formatting.
• High volume packet loss: When using UDP, you might experience packet loss during traffic bursts. Ensure the read_buffer in udp_options is appropriately sized (the default is 100MiB).
• High CPU load: Forwarding Debugging (level 7) logs in production can overwhelm the ingest pipeline and increase CPU load on both the source system and the Elastic Agent. Use Informational (level 6) or Warnings (level 4) instead.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

To ensure optimal performance in high-volume environments, you should consider the following settings and configurations:

• Transport and collection considerations: While UDP is faster for syslog transmission, use TCP for environments where delivery guarantees are required. When you use UDP, ensure the read_buffer in udp_options is appropriately sized (default 100MiB) to prevent packet loss during traffic bursts. For TCP, configure max_connections to handle concurrent streams from multiple controllers.
• Data volume management: Configure the Cisco WLC to forward only necessary events by adjusting the syslog level. It's recommended to use Informational (level 6) or Warnings (level 4). Avoid forwarding Debugging (level 7) logs in production as they can overwhelm the ingest pipeline and increase CPU load on both the source system and the Elastic Agent.
• Elastic Agent scaling: For high-throughput environments with thousands of Access Points, deploy multiple Elastic Agents behind a network load balancer to distribute traffic evenly. Place Agents close to the data source to minimize latency and potential packet loss over the network.

This integration uses the following inputs:

These inputs can be used with this integration:

ssl.enabled: true
ssl.certificate: "/path/to/server.crt"
ssl.key: "/path/to/server.key"
ssl.certificate_authorities: ["/path/to/ca.crt"]
ssl.client_authentication: "optional"
		

The log data stream provides events from Cisco Aironet Wireless LAN Controllers (WLC) of the following types: system messages, association logs, and security events.

{
    "@timestamp": "2024-08-20T11:25:50.157Z",
    "agent": {
        "ephemeral_id": "c47efe0f-c0e2-444b-b292-a9ec40271d4b",
        "id": "0335de7e-b2c1-4352-bf23-c023d21c1252",
        "name": "elastic-agent-54493",
        "type": "filebeat",
        "version": "8.15.3"
    },
    "cisco": {
        "interface": {
            "type": "wired"
        }
    },
    "client": {
        "ip": "fe80::aee2:d3ff:feba:56a4"
    },
    "data_stream": {
        "dataset": "cisco_aironet.log",
        "namespace": "59495",
        "type": "logs"
    },
    "ecs": {
        "version": "8.17.0"
    },
    "elastic_agent": {
        "id": "0335de7e-b2c1-4352-bf23-c023d21c1252",
        "snapshot": false,
        "version": "8.15.3"
    },
    "event": {
        "action": "ENTRY_DELETED",
        "agent_id_status": "verified",
        "dataset": "cisco_aironet.log",
        "ingested": "2024-11-04T21:04:12Z",
        "original": "<134>WLC001: *SISF BT Process: Aug 20 11:25:50.157: %SISF-6-ENTRY_DELETED: sisf_shim_utils.c:482 Entry deleted A=fe80::aee2:d3ff:feba:56a4 V=0 I=wired:1 P=0000 M=",
        "provider": "SISF",
        "severity": 6,
        "timezone": "+00:00"
    },
    "host": {
        "name": "WLC001"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "level": "informational",
        "source": {
            "address": "172.29.0.3:33867"
        },
        "syslog": {
            "facility": {
                "code": 16
            },
            "priority": 134,
            "severity": {
                "code": 6
            }
        }
    },
    "message": "Entry deleted A=fe80::aee2:d3ff:feba:56a4 V=0 I=wired:1 P=0000 M=",
    "process": {
        "name": "SISF BT Process"
    },
    "tags": [
        "preserve_original_event",
        "cisco-aironet",
        "forwarded"
    ]
}
		

You can find more information about Cisco Aironet system messages and error codes in the following vendor resources:

• Cisco WLC System Message Guides
• Configure Syslog Server on Wireless LAN Controllers - Cisco