John, A long time ago, I used splunk universal forwarder to export logs from a windows server to my syslog server. I am not sure if it is still possible, but it was always free to do and worked well. I haven't touched it in 4 years since I stopped collecting windows logs, so I am unsure if that is still a possible solution. Anyway, it might be worth looking into.
*--Jeremy L. Gibbs* Sr. Network Engineer Utica College IITS T: (315) 223-2383 F: (315) 792-3814 E: jlgi...@utica.edu http://www.utica.edu On Thu, Mar 3, 2016 at 4:16 PM, John York <yo...@brcc.edu> wrote: > Ah, one of my problems was that I didn’t have accounting properly > configured on the Windows NPS box. It only logs to SQL or a text file tho, > no syslog (at least without a 3rd party client.) Perhaps I could > schedule a task with PowerShell… > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Dennis Xu > *Sent:* Thursday, March 3, 2016 3:49 PM > > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WLC 5508 logging authentications > > > > It depends on what Radius logs you are looking at. In Radius > authentication logs, yes CallingStationID field contains client MAC > address(because WLC does not know client's IP address at this stage). But > if you look at Radius accounting logs, you should see client IP addresses > in CallingStationID. We search in accounting logs because those give us the > session start and stop times. > > > > > Dennis Xu, MASc, CCIE #13056 > Analyst 3, Network Infrastructure > Computing and Communications Services(CCS) > University of Guelph > > > > 519-824-4120 Ext 56217 > d...@uoguelph.ca > www.uoguelph.ca/ccs > > > ------------------------------ > > *From: *"John York" <yo...@brcc.edu> > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Sent: *Thursday, March 3, 2016 3:28:42 PM > *Subject: *Re: [WIRELESS-LAN] WLC 5508 logging authentications > > > > I have the stuff in a SIEM, but not correlated ;-( > > > > My Windows NPS logs have the IP of the WLC in the ClientIPAddress field. > Rats. Client MAC is in CallingStationID, though. > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Dennis Xu > *Sent:* Thursday, March 3, 2016 3:04 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WLC 5508 logging authentications > > > > We have the similar process here. But I think once you get the inside IP > and time, you can lookup the username from the Radius auth logs(skip the > DHCP lookup). > > > > We are currently implanting SIEM. We hope by dumping logs to SIEM from all > systems, we can just do a simple lookup from SIEM. > > > > > Dennis Xu, MASc, CCIE #13056 > Analyst 3, Network Infrastructure > Computing and Communications Services(CCS) > University of Guelph > > > > 519-824-4120 Ext 56217 > d...@uoguelph.ca > www.uoguelph.ca/ccs > > > ------------------------------ > > *From: *"John York" <yo...@brcc.edu> > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Sent: *Thursday, March 3, 2016 2:53:57 PM > *Subject: *Re: [WIRELESS-LAN] WLC 5508 logging authentications > > > > We have Win NPS running Radius. It takes several lookups to get what I > want and I was hoping to shorten the process. A typical one goes like this: > > > > Receive: outside IP, port, and time > > Lookup in firewall NAT logs > > Output: inside IP, time > > Lookup IP in DHCP logs > > Output: MAC address, time > > Lookup MAC in NPS logs > > Output: username > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Dennis Xu > *Sent:* Thursday, March 3, 2016 12:08 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WLC 5508 logging authentications > > > > Hi John, > > > > You are right that WLCs do not log authentication sessions in syslog. Do > you have Radius servers to authenticate wireless users? Radius server is > the better place to collect authentication logs. > > > > Regards, > > > Dennis Xu, MASc, CCIE #13056 > Analyst 3, Network Infrastructure > Computing and Communications Services(CCS) > University of Guelph > > > > 519-824-4120 Ext 56217 > d...@uoguelph.ca > www.uoguelph.ca/ccs > > > ------------------------------ > > *From: *"John York" <yo...@brcc.edu> > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Sent: *Thursday, March 3, 2016 11:29:56 AM > *Subject: *[WIRELESS-LAN] WLC 5508 logging authentications > > > > Hi > > We have one 5508 (soon to be a failover pair) and don’t run PI. Our users > connect either through 802.1x or an open SSID with a webauth portal from > the 5508. I need to be able to log authentications so I can track down > users who have annoyed DMCA or our security department. I’m finding that > 5508 syslog outputs a huge amount of stuff, but doesn’t include successful > authentications. I’ve found some posts that indicate that info is only > available through SNMP traps, but I haven’t been able to find the OIDs. > Has anyone been able to log auths without using PI? > > Thanks > > John > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
