IP Address Format

karenm​,

If you are talking about devices logging to syslog, the IP addresses are always formatted the same way and are available in  script variable to capture, modify or log.

If you are referring to source/destination IPs from say a firewall log, then solarwinds/kiwi has no control over how those logs are sent from the host, but the logs can be parsed out in a rule via scripting and then the message can be modified before logging/displaying. The script parsing would be different for every type of device you have, but if you're running all ASAs for example, one parsing script could likely handle them all.

If you can post some example logs, I might be able to help you with some scripting, but no promises on a time frame, I'm stretched for free time lately.

Hello Aforsythe,

I am so glad to receive a reply. I’ve been trying to work on this in between juggling many projects. I am only working with the Kiwi Syslog Server logs and not firewall logs. And we are logging for any device connecting to wireless: Android, iPhone, Windows, etc.

I have filtered for the enterprise=1.3.6.1.4.1.9.9.599.0.8, enterprise_mib_name=ciscoLwappDot11ClientSessionTrap

This is the information that I need in order to identify Internet traffic for a device. I need the device IP address and the device MAC address. I like to also see the AP collecting the data and which WLAN is in use and the ciscoLwappDot11ClientSessionTrap mib includes all this data, but the IP Address is not formatted correctly.

Note that the IP Address is not logging the correct format. Note also that sometimes it does, but most times it does not. How can I consistently capture the IP Address in the correct format?

Thank you so very much for your help,

Karen

SyslogCatchAll_KIWI-2019-03-06.txt

2019-03-06 07:46:41 Auth.Debug 172.30.1.44 community=2504SNMPLogs, enterprise=1.3.6.1.4.1.9.9.599.0.8, enterprise_mib_name=ciscoLwappDot11ClientSessionTrap, uptime=359298400, agent_ip=172.30.1.44, version=Ver2,

1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=1, cLApDot11IfSlotId.0=1,

1.3.6.1.4.1.9.9.513.1.1.1.1.5.32.76.158.234.79.176=RT13-Office-AP2, cLApName.32.76.158.234.79.176=RT13-Office-AP2,

1.3.6.1.4.1.9.9.599.1.3.2.1.2.0=1, cldcClientByIpAddressType.0=1,

1.3.6.1.4.1.9.9.599.1.3.2.1.3.0=ª<030><001>G, cldcClientByIpAddress.0=ª<030><001>G, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.140.69.0.171.27.33=, cldcClientUsername.140.69.0.171.27.33=, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.140.69.0.171.27.33=JMMurrayRT13, cldcClientSSID.140.69.0.171.27.33=JMMurrayRT13, 1.3.6.1.4.1.9.9.599.1.3.1.1.38.140.69.0.171.27.33=5c7fc131/8c:45:00:ab:1b:21/7408, cldcClientSessionID.140.69.0.171.27.33=5c7fc131/8c:45:00:ab:1b:21/7408,
1.3.6.1.4.1.9.9.599.1.3.1.1.8.140.69.0.171.27.33=20:4C:9E:EA:4F:B0, cldcApMacAddress.140.69.0.171.27.33=20:4C:9E:EA:4F:B0

2019-03-06 08:02:20 Auth.Debug 172.30.1.44 community=2504SNMPLogs, enterprise=1.3.6.1.4.1.9.9.599.0.8, enterprise_mib_name=ciscoLwappDot11ClientSessionTrap, uptime=359392300, agent_ip=172.30.1.44, version=Ver2,
1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=0, cLApDot11IfSlotId.0=0,
1.3.6.1.4.1.9.9.513.1.1.1.1.5.32.76.158.234.79.176=RT13-Office-AP2, cLApName.32.76.158.234.79.176=RT13-Office-AP2,
1.3.6.1.4.1.9.9.599.1.3.2.1.2.0=1, cldcClientByIpAddressType.0=1,
1.3.6.1.4.1.9.9.599.1.3.2.1.3.0=ª<030><001>z, cldcClientByIpAddress.0=ª<030><001>z, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.108.232.92.128.7.162=, cldcClientUsername.108.232.92.128.7.162=, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.108.232.92.128.7.162=JMMurrayRT13, cldcClientSSID.108.232.92.128.7.162=JMMurrayRT13, 1.3.6.1.4.1.9.9.599.1.3.1.1.38.108.232.92.128.7.162=5c7fc4dc/6c:e8:5c:80:07:a2/7418, cldcClientSessionID.108.232.92.128.7.162=5c7fc4dc/6c:e8:5c:80:07:a2/7418, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.108.232.92.128.7.162=20:4C:9E:EA:4F:B0, cldcApMacAddress.108.232.92.128.7.162=20:4C:9E:EA:4F:B0

2019-03-06 08:02:23 Auth.Debug 172.30.1.44 community=2504SNMPLogs, enterprise=1.3.6.1.4.1.9.9.599.0.8, enterprise_mib_name=ciscoLwappDot11ClientSessionTrap, uptime=359392500, agent_ip=172.30.1.44, version=Ver2,
1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=1, cLApDot11IfSlotId.0=1,
1.3.6.1.4.1.9.9.513.1.1.1.1.5.32.76.158.234.79.176=RT13-Office-AP2, cLApName.32.76.158.234.79.176=RT13-Office-AP2,
1.3.6.1.4.1.9.9.599.1.3.2.1.2.0=1, cldcClientByIpAddressType.0=1,
1.3.6.1.4.1.9.9.599.1.3.2.1.3.0=ª<030><001>z, cldcClientByIpAddress.0=ª<030><001>z, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.108.232.92.128.7.162=, cldcClientUsername.108.232.92.128.7.162=, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.108.232.92.128.7.162=JMMurrayRT13, cldcClientSSID.108.232.92.128.7.162=JMMurrayRT13, 1.3.6.1.4.1.9.9.599.1.3.1.1.38.108.232.92.128.7.162=5c7fc4dc/6c:e8:5c:80:07:a2/7418, cldcClientSessionID.108.232.92.128.7.162=5c7fc4dc/6c:e8:5c:80:07:a2/7418, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.108.232.92.128.7.162=20:4C:9E:EA:4F:B0, cldcApMacAddress.108.232.92.128.7.162=20:4C:9E:EA:4F:B0

Correct IP Address below 10.10.10.23
2019-03-06 08:24:09 Auth.Debug 172.30.1.44 community=2504SNMPLogs, enterprise=1.3.6.1.4.1.9.9.599.0.8, enterprise_mib_name=ciscoLwappDot11ClientSessionTrap, uptime=359523100, agent_ip=172.30.1.44, version=Ver2,
1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=1, cLApDot11IfSlotId.0=1,
1.3.6.1.4.1.9.9.513.1.1.1.1.5.32.76.158.234.79.176=RT13-Office-AP2, cLApName.32.76.158.234.79.176=RT13-Office-AP2,
1.3.6.1.4.1.9.9.599.1.3.2.1.2.0=1, cldcClientByIpAddressType.0=1,
1.3.6.1.4.1.9.9.599.1.3.2.1.3.0=<010><010><010><023>, cldcClientByIpAddress.0=<010><010><010><023>, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.160.78.167.3.159.103=, cldcClientUsername.160.78.167.3.159.103=,
1.3.6.1.4.1.9.9.599.1.3.1.1.28.160.78.167.3.159.103=JMMurrayGuest, cldcClientSSID.160.78.167.3.159.103=JMMurrayGuest, 1.3.6.1.4.1.9.9.599.1.3.1.1.38.160.78.167.3.159.103=5c7fc8ab/a0:4e:a7:03:9f:67/7423, cldcClientSessionID.160.78.167.3.159.103=5c7fc8ab/a0:4e:a7:03:9f:67/7423, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.160.78.167.3.159.103=20:4C:9E:EA:4F:B0, cldcApMacAddress.160.78.167.3.159.103=20:4C:9E:EA:4F:B0

2019-03-06 08:38:48 Auth.Debug 172.30.1.44 community=2504SNMPLogs, enterprise=1.3.6.1.4.1.9.9.599.0.8, enterprise_mib_name=ciscoLwappDot11ClientSessionTrap, uptime=359611100, agent_ip=172.30.1.44, version=Ver2, 1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=0, cLApDot11IfSlotId.0=0,
1.3.6.1.4.1.9.9.513.1.1.1.1.5.32.76.158.234.79.176=RT13-Office-AP2, cLApName.32.76.158.234.79.176=RT13-Office-AP2,
1.3.6.1.4.1.9.9.599.1.3.2.1.2.0=1, cldcClientByIpAddressType.0=1,
1.3.6.1.4.1.9.9.599.1.3.2.1.3.0=<010><010><010>c, cldcClientByIpAddress.0=<010><010><010>c, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.212.109.109.96.64.180=, cldcClientUsername.212.109.109.96.64.180=, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.212.109.109.96.64.180=JMMurrayGuest, cldcClientSSID.212.109.109.96.64.180=JMMurrayGuest, 1.3.6.1.4.1.9.9.599.1.3.1.1.38.212.109.109.96.64.180=5c7fcd06/d4:6d:6d:60:40:b4/7433, cldcClientSessionID.212.109.109.96.64.180=5c7fcd06/d4:6d:6d:60:40:b4/7433, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.212.109.109.96.64.180=20:4C:9E:EA:4F:B0, cldcApMacAddress.212.109.109.96.64.180=20:4C:9E:EA:4F:B0

karenm​,

karenm  wrote: I like to also see the AP collecting the data and which WLAN is in use and the ciscoLwappDot11ClientSessionTrap mib includes all this data, but the IP Address is not formatted correctly.

The AP collecting the data is probably the same one logging, in this case, your 20:4C:9E:EA:4F:B0 device. This trap is not logging client MAC or WLAN that I can tell. You might get more data by using Syslog instead of SNMP and turning the logs on info, but then discarding the millions of logs that you don't want.

Parsing out "cldcClientByIpAddress.0=<010><010><010><023>" and inserting 10.10.10.23 as the IP Address format would not be hard, but I'm not sure why your devices are sometimes logging things like "cldcClientByIpAddress.0=ª<030><001>z".

Unfortunately I don't know the Cisco MIBs enough to even tell you whether or not that is normal and how to parse it.

Thank you for your response. This is the issue – why are the ip addresses being formatted like this -- "cldcClientByIpAddress.0=ª<030><001>z"?

I really need to find out why and how to fix the logging.

I don’t believe the syslog is sending the data that I need to identify a device’s Internet traffic.

Do you have the script example that could be used to parse out "cldcClientByIpAddress.0=<010><010><010><023>" and insert 10.10.10.23 as the IP Address format? Do you have the script with instructions how to set it up?

I don't think that the problem is with kiwi in your logs, it's the way the device is sending it. Possibly a newer updated MIB or something and I haven't worked directly with Cisco MIBs.

I also don't typically have parsing scripts on hand for things I don't have/use, so no, I don't have an example script to provide you. I could write one, but If you're logs are not consistently providing the same information, it's not going to be helpful.

To be honest, if you're logging to text file and then reviewing the text file, the parsing should probably be on that end rather than on kiwi. You already know what you're looking for and how to convert it. If you replace the values on the kiwi side then you're just going to end up with more . separated numbers in the middle of all of the rest. For example, if you know that 10.10.10.23 is the IP address you are looking for, what's the difference between searching for that and searching for <010><010><010><023> instead?

Could you please check if all the necessary MIBs in place? INET-ADDRESS-MIB must be available to resolve it.

Thank you for your support. I found “INET-ADDRESS-MIB 1” listed in the KiwiCurrentMIBs.txt file. I believe INET-ADDRESS-MIB is in place.