NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
I noticed when sending syslog from the WAX's to our syslog server (in this case a Wazuh SIEM installation) that there's some issues.
First issue, it's hard to differentiate the syslog coming from the access points with syslog coming from other devices if there's no name in the logs.
And second, the predecoding in this syslog server now interprets the program name (app name) as the hostname and as there are many processes running on the device this 'pollutes' the hostname field in the opensearch database with lots of processes (non existing hosts).
There have been other reports of other syslog sending devices causing issues with this syslog decoder, so the issue is not Netgear exclusive (and I have been able to find a common regex to differentiate), but it seems that adding a name in the logs would not be so hard to do and it would probably fix both issues and it would be convenient. (Our M4300 stack does have a hostname in the logs and I think it's a good thing to be consequent)
While this field can be left empty according to the standard it also says that an empty value is very unlikely (RFC5424).
https://www.rfc-editor.org/rfc/rfc3164#section-5.2
https://www.rfc-editor.org/rfc/rfc5424#section-6.2.4
Maybe include the 'location' name which is shown in Insight as the hostname?
8 Comments
The Insight Location Name and the Insight Device Name are two different things. If any, it should be the Device Name as configured per device on Insight.
In our large scale projects, we prefer having unique FQDNs for every device in be network, including the mapping to the DNS infrastructure. Big pure hostname or the location name are much to small entities.
I agree and I could live with that, but I compare this to our M4300 stack, in all the logs there's only 1 hostname for the whole stack. I don't get logs from the individual switches.
As the WAX device names are also configurable and set and visible in Insight, it would actually be better to see these names in the logs as it would make is even clearer where a connection/disconnection or error originates.
:es/Big/Both
Explained forth and back before, the possible options (and potential drawback where you can no longer use just the IP address or just the unqualified hostname - making the use the full FQDN mandatory) have been described -> https://community.netgear.com/discussions/business-wireless-for-business/wax610-how-to-send-hostname-with-syslog/2227670/replies/2227715
Hmm, so it is possible to get the FQDN in the logs, but it is cumbersome...
That's interesting. It's not the info our supplier got from their Netgear contact... they said to raise a feature request here.
What is certainly coming from the WAX6xx or WAC5xx with the syslog messages is -always - the IP address on the LAN.
Cumbersome is that once you define the FQDN, that the AP does require either using the FQDN (https:// hostname.domain.....) for accessing the local WebUI - unless you are using Netgear Insight. It's apparently a port of some (unknown to me) design, probably inherited from the open source platform these APs are built on.
In case the hostname field should be really empty as part of the AP generated syslog message (read neither an IP address nor a FQDN of configured) on the WAX618 there might be possibly a bug - the LAN IP address is certainly provided, pure hostname isn't an option as it's poorly identifying the specific device IMHO.
Don't own one of these 618, so not fancy buying such APs for reproducing some uncertain issues.
Just yet another Community Member here, but having designed, implemented, and deployed large scale data collectors for various multi vendor systems long time before syslog become some de-facto standard, where we had started 45 years ago already. Mind you, there are many other platforms which are not U**x based, so no syslog ...
Sorry,
-Kurt.
