AlienVault® USM Anywhere™

Avaya Wireless LAN

When you configure Avaya Wireless LAN to send log data to USM Anywhere, you can use the Avaya Wireless LAN plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Avaya
Device Type Access Point
Connection Type Syslog

Integrating Avaya Wireless LAN

Before you configure the Avaya Wireless integration, you must have the IP Address of the USM Anywhere Sensor.

You can send syslog messages to external servers by using either the Avaya CLI or the Avaya Web Management Interface. The following procedures describe both approaches.

Using the Avaya CLI to configure Avaya Wireless LAN to send log data to USM Anywhere

From the [MyAP(config-syslog)#] directory, use the syslog command to enable, disable, or configure the following syslog options:

  • console: Enable or disable the display of Syslog messages on the console, and set the level of messages to be disabled. All messages at the specified level and lower will be displayed.

    syslog console <on|off> level <0-7>

  • disable | off: Disable syslog.

    syslog disable

  • email: Configure email options.

    syslog email <email-from-address> level <0-7> password <email-acct-password> server <email-msg-text> to-list <recipient-email-addresses> user <email-acct-username>

  • local-file: Set the size and/or severity level. (All messages at the specified severity level and lower will be logged.)

    syslog local-file size <1-500> level <0-7>

  • no: Disable the specified feature.

    syslog no <feature>

  • primary: Set the IP address of the USM Anywhere Sensor and /or the severity of messages to be logged.

    syslog primary <USM Anywhere IP> level <0-7>

  • sta-format: Select format of station information in Syslog messages.

    syslog sta-format <format>

  • sta-url-long: Enable or disable station URL logging.

    syslog sta-url-long <enable|disable>

  • tertiary: Set Tertiary Syslog parameters.

    syslog tertiary <tertiary parameters>

  • time-format: Select format of date/time information in syslog messages.

    syslog time-format <format>

Using the Web Management Interface to configure Avaya Wireless LAN to send log data to USM Anywhere

From the System Log window of the Web Management Interface, you can enable or disable syslog , define primary, secondary and tertiary servers, set up email notifications, and set the level for syslog reporting. Individual parameter settings in the System Log window are the following:

  • Enable Syslog Server: Choose Yes to enable syslog functionality, or choose No to disable this feature.
  • Console Logging: If you enabled syslog, select whether to echo syslog messages to the console as they occur. If you enable console logging, be sure to set the Console Logging level.
  • Local File Size (1-2000 lines): Enter a value in this field to define how many syslog records are retained locally in the internal syslog file. The default value is 2000.
  • Primary Server Address (Hostname or IP) and Port: If you enabled syslog, enter the USM Anywhere IP address. The default port is 514.
  • Secondary/Tertiary Server Address (Hostname or IP) and Port: (Optional) If you enabled syslog, you may enter the hostname or IP address of one or two additional syslog servers to which messages will also be sent.
  • Email Notification: (Optional) The following parameters allow you to send an email to a designated address each time a syslog message is generated. The email will include the text of the syslog message.
    • Email Syslog SMTP Server Address (Hostname or IP) and Port: The hostname or the IP address of the SMTP server to be used for sending the email. Note that this specifies the mail server, not the email recipient. You may also change the port used on the server if you do not wish to use 25, the default SMTP port.
    • Email Syslog SMTP User Name: Specify a user name for logging in to an account on the email server designated with the Email Syslog SMTP Server Address parameter.
    • Email Syslog SMTP User Password: Specify a password for logging in to an account on the email server designated with the Email Syslog SMTP Server Address parameter.
    • Email Syslog SMTP From: Specify the "From" email address to be displayed in the email.
    • Email Syslog SMTP Recipient Addresses: Specify the entire email address of the recipient of the email notification. You may specify additional recipients by separating the email addresses with semicolon (;).
  • Station Formatting: You may select Key/value or leave this at the default value of Standard.
  • Station URL Logging: When enabled, syslog messages are sent for each URL that each station visits. Only HTTP destinations (port 80) are logged along with all URLs in a domain; HTTPS destinations (port 443) are not logged. The following information is included in the syslog message:
    • Date/Time
    • Source Device MAC and IP Address
    • Destination Port
    • Destination Site Address
    • The specific URL

    Station URL Logging is disabled by default.

  • Syslog Levels: Choose your preferred level of syslog reporting from the pull-down list.
    • Console Logging: For messages to be echoed to the console, the default level is Critical and more serious.
    • Local File: The default level is Debugging and more serious.
    • Primary Server: The default level is Debugging and more serious.
    • Secondary/Tertiary Server: The default level is Information and more serious.
    • Email SMTP Server: The default level is Warning and more serious.

When you are finished with your entries, click the Save button.

Plugin Enablement

For plugin enablement information, see Manual Integration Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

    • audit_reason
    • customfield_0
    • customheader_0
    • event_description
    • event_name
    • event_severity
    • rep_device_model
    • short_message
    • source_address
    • source_address_6
    • source_fqdn
    • source_hostname
    • source_mac
    • source_username
    • wireless_ssid

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.