NWA50AX Syslog format issue
I noticed another thread from earlier in 2023 asking about CEF format messages:
Device: NWA50AX, firmware: V6.29(3)
I am collecting regular syslog messages, the received messages are like this:
<141>1 2023-12-28T20:22:59+00:00 2023 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: 99:99:99:99:99:99 connected on Channel: 13, SSID: MyWiFi, 2.4GHz, Signal: -53dBm, Interface: wlan-1-3" note="IEEE 802.11" user="unknown" devID="999999999999" cat="wlan"
There is an additional "2023" between the full date/time element and the HOSTNAME element, which breaks my parser and appears to me to be an error of .
Would it be possible to investigate this issue, and advise/fix.
Thanks
Accepted Solution
-
Hello @aks
Thank you for the details you've provided.
We've replicated the issue where an additional year is included in the VRPT log format. It will be resolved in a future firmware update.
Zyxel Nami
0
Zyxel Employee
All Replies
-
Hello @aks
Thank you for bringing this to our attention.
We will review the syslog format issue on the NWA50AX and provide you with an update as soon as possible.
In the meantime, we wish you a wonderful holiday season :)
Zyxel Nami
0 -
Hi @aks
In our checks using the Visual Syslog Server with default settings, we didn't encounter the extra "year" in syslog entries similar to the WLAN category you mentioned. Here is an example log entry we had:
192.168.1.46 Jan 3 03:27:50 2024 local1 notice NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx left on Channel: 157, SSID: Z-Hotel, 5GHz, Signal: -59dBm, Download/Upload: 67130/42324 Bytes, reason 8, Interface: wlan-2-4" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxxxx" cat="wlan"
This format does not include the extra "year" field that you mentioned. We recommend verifying if your syslog server has configurable options to change the display of log entries, which might resolve the discrepancy you're experiencing.
Zyxel Nami
0 -
I prepared a response, but when I hit 'POST' it clears the entry but does not actually post the reply - I can then see it in my 'drafts'. Not sure what's going on?
0 -
Trying to post again with shorter reply:
Hi Nami,
I am a bit confused. The example I sent was the raw data directly from the NWA50AX - it was not processed.
Here are similar raw messages captured from several devices:
NWA50AX:
<141>1 2023-12-18T23:10:03+00:00 2023 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx connected on Channel: 116, SSID: {ssid}, 5GHz, Signal: -72dBm, Interface: wlan-2-1" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxxx" cat="wlan"
<141>1 2024-01-04T09:20:14+00:00 2024 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx connected on Channel: 116, SSID: {ssid}, 5GHz, Signal: -51dBm, Interface: wlan-2-1" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxxxx" cat="wlan"0 -
part 2:
Netgear WAX615:
<30>1 2023-12-19T00:53:58+00:00 wax615 hostapd - - - hostapd: wifi1vap0: STA xx:xx:xx:xx:xx:xx WPA: sending 1/2 msg of Group Key Handshake
Sky hub router:
<26>1 2024-01-04T09:16:54.000Z skyhub.ihr skyhttpd - - [skySDID@nnn mac="xxxxxxxxxxxx" sn="xxxxxxxxxxxx"] skyAdministrator login successful from IP: 192.168.0.2.You can observe the other devices format the date/time according to RFC5424, whereas the NWA50AX adds an additional year after the date/time field. The example above shows that the "additional" year now changed to 2024.
Could you ask the team to check unprocessed syslog data - I am using the 'rsyslog' server running on QNAP NAS, it does not allow changing/formatting of the received syslog messages. The built-in viewer/display page is not correctly showing messages from NWA50AX, whereas from other devices the displayed information is correctly shown. I have copied the raw information from the log files directly.
Thanks for checking.0 -
Hi @aks
To better assist you with the syslog format issue, could you please confirm if your device is managed in cloud mode via Nebula or in standalone mode?
If managed via Nebula, please enable Zyxel Support Access for us to further investigate.
If it's in standalone mode, let us know which log format you've selected, as shown in the screenshot.
Zyxel Nami
0 -
Hi Nami,
Currently set to standalone mode VRPT/Syslog:
I had tried both and settled on VRPT, I have included two examples below.
Here is the VRPT/Syslog example:
<141>1 2023-12-11T20:23:24+00:00 2023 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx connected on Channel: 1, SSID: {ssid}, 2.4GHz, Signal: -47dBm, Interface: wlan-1-3" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxx" cat="wlan"Here is the CEF/Syslog example:
<149>1 2023-12-11T18:38:13+00:00 NWA50AX CEF - - - CEF:0|Zyxel|NWA50AX|6.29(ABYW.3)|0|wlan|5|src=0.0.0.0 dst=0.0.0.0 spt=0 dpt=0 msg=Station: xx:xx:xx:xx:xx:xx connected on Channel: 44, SSID: {ssid} 5GHz, Signal: -62dBm, Interface: wlan-2-10 -
Hello @aks
Thank you for the details you've provided.
We've replicated the issue where an additional year is included in the VRPT log format. It will be resolved in a future firmware update.
Zyxel Nami
0 -
Thank you Nami, I look forward to the update to resolve this - hopefully not too long 😃!
0
Categories
- All Categories
- 392 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 81 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 914 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 907 Nebula FAQ
- 415 Security FAQ
- 236 Switch FAQ
- 206 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 138 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
