Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

Created On 09/26/18 21:04 PM - Last Modified 04/20/20 23:38 PM



This document describes how to configure User-ID Agent to get User-IP mapping from the Cisco Wireless controller.



Shown below is a typical example of a syslog from the wireless controller. The bolded fields is the information that will be extracted from the syslog for a successful User-IP mapping when connecting from the Cisco Wireless controller.

9    28.211036    Syslog    425    LOCAL7.DEBUG: community=Test_Syslog, enterprise=, uptime=384972600, agent_ip=, version=Ver2, cldcClientMacAddress.0=+;\273t\260\313, cLApName.0=ap-gl-01, cldcApMacAddress.0="Hex String=40 F4 EC 12 3A 40",, cldcClientIPAddress.0=,,


The screenshot below explains how to parse this information and extract the needed details. A Field Identifier is being used instead of Regex



Some versions of Cisco WLC might be sending a slightly different syslog message than the one mentioned above. If your Cisco WLC syslog format looks like the one pasted below (specifically note the highlighted string that holds the IP address of the user) then a different string needs to be configured for the “Address Prefix” value.


07-29-2016      11:32:34        Local7.Debug      community=PA_TEST31, enterprise=, uptime=1163840600, agent_ip=, version=Ver2,"Hex String=44 00 10 2D CC 2D",,,,,\user.name1,


Use the string in the “Address Prefix” field. See below screenshot for details.


Note that trailing spaces can cause problems in parsing the syslog message. When pasting the text into the “Syslog Parse Profile” window, make sure to delete all spaces at the end of the string.  






Note:  Make sure the Syslog listener is on the interface that is expected to reach the device. Cisco WLC native Syslog messages do not contain authentication information, so User-ID mappings cannot be derived from them. Cisco WLC generates SNMP Traps that do contain this information. The SNMP Trap must be converted into a Syslog message. To achieve this, please follow document: Cisco WLC - Palo Alto Networks config guide.pdf


owner: smalayappan

  • Print
  • Copy Link

Choose Language