2 Replies Latest reply on Feb 18, 2013 9:04 AM by gabriel_86

    Parser problem on Cisco Aironet 1140


      Hi All,

      I'm noticing a problem when try to add two Cisco Aironet 1140 (Access Point series) to the McAfee Receiver.

      Sniffing with tcpdump on the receiver the logs arrives right (routed from the appliance by syslog). I understand that are from the two Aironet, and the facility was setted up like local7 (informational, debug, warning, alert ecc). Unfortunately the parser can't process them correctly. I've tried this options like log format:


      - Catalyst OS

      - IOS (ASP)

      - Wireless Control System

      - IronPort Web Security Appliance

      and at last

      - Secure ACS


      I'm a little bit confused,

      Thanks for any help,


        • 1. Re: Parser problem on Cisco Aironet 1140



          did you use the Auto Learn feature? Maybe that function will help you to know what parser should you use for that datasources... Remember, that on the bottom of Auto Learn window is the "Show Packet" button, which can help you to see the example of particular device's event.



          Artur Sadownik

          • 2. Re: Parser problem on Cisco Aironet 1140

            Hi Artur,

            First of all thanks for the reply!

            Today, thanks to a batch, that run on early morning, the WiFi password of the two AP was reconfigured. The SIEM catched it and showed this type of change in the dashboard. So the "Catalyst OS" parser was a great choice. It's strange that unless i've choosen to rotate the local7 log, only this evidence was showed. I'll look in to this shortly.

            Thanks a lot,