Splunk Search

Monitoring a Large Wifi Environment

Esky73
Builder

I'm looking at monitoring potentially a large wifi network consisting of multiple access points and looking for any insights\ideas that anyone may have used before ?

Without seeing whats in the logs so far i'm thinking how do we get all this info from various points - my initial thought is using a syslog server tool to collect from all points and then send to splunk.

Also what kind of things to present on the dashboard ?

Are there any case studies out there that can be shared ?

Thx.

Tags (1)
0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey Eksy,

Monitoring wifi infrastructure is a common use case for Splunk and provides ability to monitor anything from performance and configuration to authentication, authorization and accounting and traffic patterns.

I have personally seen meraki, aruba, etc all report via syslog, usually thru the wireless lan controller.

There is a Cisco enterprise app and a Meraki TA on Splunkbase that you could pull apart and see what was done there

https://splunkbase.splunk.com/app/1352/
https://splunkbase.splunk.com/app/3018/#/details

and a quick google search returns tons of use cases from vendor forums, for example:

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Monitoring-the-wireless-network-via-MR...

obviously getting your hands in the logs will be the first step in knowing what value awaits but pairing WLC logs with something like cacti to track timeseries metrics can be a very powerful way to monitor trend and alert with Splunk

- MattyMo
0 Karma

Esky73
Builder

Thanks - i found the same use case prior - but it was quite an old article and wasn't exactly what i was looking for although i have gleaned some ideas

I have access to a cisco aeronet 1600 which is not controller based but standalone - would the cisco TA give me some useful sourcetypes for use here ?What about the Cisco App ? i didn't see my device listed as supported.

Supported Cisco Devices:
* Cisco Catalyst series switches (2960, 3650, 3750, 4500, 6500, 6800, 7600 etc.)
* Cisco ASR - Aggregation Services Routers (900, 1000, 5000, 9000 etc.)
* Cisco ISR - Integrated Services Routers (800, 1900, 2900, 3900, 4451 etc.)
* Cisco Nexus Data Center switches (1000V, 2000, 3000, 4000, 5000, 6000, 7000, 9000 etc.)
* Cisco Carrier Routing System
* Other Cisco IOS based devices (Metro Ethernet, Industrial Ethernet, Blade Switches, Connected Grid etc.)
* Cisco WLC - WLAN Controller

0 Karma

adonio
Ultra Champion

Check out the Cisco IOS app (Cisco Network App) https://splunkbase.splunk.com/app/1352/

0 Karma

mattymo
Splunk Employee
Splunk Employee

yeah if they are iOS based im sure theres some re-suable pieces, but Cisco syslog tends to be pretty clean to work with regardles and the beauty of Splunk is that you can customize to your hearts desire...no TA? no problem!

Personally i would start with getting a sample of the data you will have at your disposal so you can better quantify what use cases you can even attack...dhcp? NAT? logins, login failures, user tracking, performance? etc etc etc

Then i would grab the admin guides for the access points to review log structure and whats important, and heck, Cisco is a Splunk partner so your vendor reps could likely tell you whats possible from a Cisco point of view!

- MattyMo
0 Karma

Esky73
Builder

nice thanks all.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...