Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco Wireless LAN Controllers

 

The Cisco Wireless LAN Controllers DSM for JSAcollects events that are forwarded from Cisco Wireless LAN Controller devices by using syslog or SNMPv2.

This section includes the following topics:

Before You Begin

If you collect events from Cisco Wireless LAN Controllers, select the best collection method for your configuration. The Cisco Wireless LAN Controller DSM for JSA supports both syslog and SNMPv2 events. However, syslog provides all available Cisco Wireless LAN Controller events, whereas SNMPv2 sends only a limited set of security events to JSA.

Configuring Syslog for Cisco Wireless LAN Controller

You can configure the Cisco Wireless LAN Controller to forward syslog events to JSA.

  1. Log in to your Cisco Wireless LAN Controller interface.
  2. Click the Management tab.
  3. From the menu, select Logs >Config.
  4. In the Syslog Server IP Address field, type the IP address of your JSA console.
  5. Click Add.
  6. From the Syslog Level list, select a logging level.

    The Information logging level allows the collection of all Cisco Wireless LAN Controller events above the Debug logging level.

  7. From the Syslog Facility list, select a facility level.
  8. Click Apply.
  9. Click Save Configuration.

You are now ready to configure a syslog log source for Cisco Wireless LAN Controller.

Configuring a Syslog Log Source in JSA

JSA does not automatically discover incoming syslog events from Cisco Wireless LAN Controllers. You must create a log source for each Cisco Wireless LAN Controller that provides syslog events to JSA.

To configure a log source in JSA, take the following steps:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Cisco Wireless LAN Controllers.
  9. Using the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Table 1: Syslog Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your Cisco Wireless LAN Controller.

    Enabled

    Select the Enabled check box to enable the log source. By default, the check box is selected.

    Credibility

    From the list, select the credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

    Target Event Collector

    From the list, select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Select this check box to enable the log source to coalesce (bundle) events.

    Automatically discovered log sources use the default value that is configured in the Coalescing Events drop-down list in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information on settings, see the Juniper Secure Analytics Administration Guide.

    Incoming Event Payload

    From the list, select the incoming payload encoder for parsing and storing the logs.

    Store Event Payload

    Select this check box to enable or disable JSA from storing the event payload.

    Automatically discovered log sources use the default value from the Store Event Payload drop-down list in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The configuration is complete.

Configuring SNMPv2 for Cisco Wireless LAN Controller

SNMP event collection for Cisco Wireless LAN Controllers allows the capture of events for JSA

The following events are collected:

  • SNMP Config Event

  • bsn Authentication Errors

  • LWAPP Key Decryption Errors

  1. Log in to your Cisco Wireless LAN Controller interface.
  2. Click the Management tab.
  3. From the menu, select SNMP >Communities.

    You can use the one of the default communities that are created or create a new community.

  4. Click New.
  5. In the Community Name field, type the name of the community for your device.
  6. In the IP Address field, type the IP address of JSA.

    The IP address and IP mask that you specify is the address from which your Cisco Wireless LAN Controller accepts SNMP requests. You can treat these values as an access list for SNMP requests.

  7. In the IP Mask field, type a subnet mask.
  8. From the Access Mode list, select Read Only or Read/Write.
  9. From the Status list, select Enable.
  10. Click Save Configuration to save your changes.

You are now ready to create a SNMPv2 trap receiver.

Configuring a Trap Receiver for Cisco Wireless LAN Controller

Trap receivers that are configured on Cisco Wireless LAN Controllers define where the device can send SNMP trap messages.

To configure a trap receiver on your Cisco Wireless LAN Controller, take the following steps:

  1. Click the Management tab.
  2. From the menu, select SNMP >Trap Receivers.
  3. In the Trap Receiver Name field, type a name for your trap receiver.
  4. In the IP Address field, type the IP address of JSA.

    The IP address you specify is the address to which your Cisco Wireless LAN Controller sends SNMP messages. If you plan to configure this log source on an Event Collector, you want to specify the Event Collector appliance IP address.

  5. From the Status list, select Enable.
  6. Click Apply to commit your changes.
  7. Click Save Configuration to save your settings.

You are now ready to create a SNMPv2 log source in JSA.

Configuring a Log Source for the Cisco Wireless LAN Controller That Uses SNMPv2

JSA does not automatically discover and create log sources for SNMP event data from Cisco Wireless LAN Controllers. You must create a log source for each Cisco Wireless LAN Controller providing SNMPv2 events.

Take the following steps to create a log source for your Cisco Wireless LAN Controller:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Cisco Wireless LAN Controllers.
  9. Using the Protocol Configuration list, select SNMPv2.
  10. Configure the following values:

    Table 2: SNMPv2 Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your Cisco Wireless LAN Controller.

    Community

    Type the SNMP community name that is needed to access the system that contains the SNMP events. The default is Public.

    Include OIDs in Event Payload

    Select the Include OIDs in Event Payload check box.

    This option allows the SNMP event payload to be constructed by using name-value pairs instead of the standard event payload format. OIDs in the event payload are needed to process SNMPv2 or SNMPv3 events from certain DSMs.

    Enabled

    Select the Enabled check box to enable the log source. By default, the check box is selected.

    Credibility

    From the list, select the credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

    Target Event Collector

    From the list, select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Select this check box to enable the log source to coalesce (bundle) events.

    Automatically discovered log sources use the default value that is configured in the Coalescing Events drop-down in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source, you can override the default value by configuring this check box for each log source. For more information on settings, see the Juniper Secure Analytics Administration Guide.

    Store Event Payload

    Select this check box to enable or disable JSA from storing the event payload.

    Automatically discovered log sources use the default value from the Store Event Payload drop-down in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source, you can override the default value by configuring this check box for each log source.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The configuration is complete. Events that are forwarded to by Cisco Wireless LAN Controller are displayed on the Log Activity tab of JSA.