NWA50AX Syslog format issue

aks
aks Posts: 9  Freshman Member
First Comment Friend Collector
edited May 21 in Wireless

I noticed another thread from earlier in 2023 asking about CEF format messages:

Device: NWA50AX, firmware: V6.29(3)

I am collecting regular syslog messages, the received messages are like this:
<141>1 2023-12-28T20:22:59+00:00 2023 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: 99:99:99:99:99:99 connected on Channel: 13, SSID: MyWiFi, 2.4GHz, Signal: -53dBm, Interface: wlan-1-3" note="IEEE 802.11" user="unknown" devID="999999999999" cat="wlan"

There is an additional "2023" between the full date/time element and the HOSTNAME element, which breaks my parser and appears to me to be an error of https://datatracker.ietf.org/doc/html/rfc5424 .

Would it be possible to investigate this issue, and advise/fix.

Thanks

Accepted Solution

  • Zyxel_Nami
    Zyxel_Nami Posts: 657  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hello @aks

    Thank you for the details you've provided.

    We've replicated the issue where an additional year is included in the VRPT log format. It will be resolved in a future firmware update.

    See how you've made an impact in Zyxel Community this year!

    https://bit.ly/Your2024Moments_Community

    Nami

All Replies

  • Zyxel_Nami
    Zyxel_Nami Posts: 657  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hello @aks

    Thank you for bringing this to our attention.

    We will review the syslog format issue on the NWA50AX and provide you with an update as soon as possible.

    In the meantime, we wish you a wonderful holiday season :)

    See how you've made an impact in Zyxel Community this year!

    https://bit.ly/Your2024Moments_Community

    Nami

  • Zyxel_Nami
    Zyxel_Nami Posts: 657  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @aks

    In our checks using the Visual Syslog Server with default settings, we didn't encounter the extra "year" in syslog entries similar to the WLAN category you mentioned. Here is an example log entry we had:

    192.168.1.46  Jan  3 03:27:50  2024  local1  notice    NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx left on Channel: 157, SSID: Z-Hotel, 5GHz, Signal: -59dBm, Download/Upload: 67130/42324 Bytes, reason 8, Interface: wlan-2-4" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxxxx" cat="wlan"

    This format does not include the extra "year" field that you mentioned. We recommend verifying if your syslog server has configurable options to change the display of log entries, which might resolve the discrepancy you're experiencing.

    See how you've made an impact in Zyxel Community this year!

    https://bit.ly/Your2024Moments_Community

    Nami

  • aks
    aks Posts: 9  Freshman Member
    First Comment Friend Collector

    I prepared a response, but when I hit 'POST' it clears the entry but does not actually post the reply - I can then see it in my 'drafts'. Not sure what's going on?

  • aks
    aks Posts: 9  Freshman Member
    First Comment Friend Collector

    Trying to post again with shorter reply:

    Hi Nami,
    I am a bit confused. The example I sent was the raw data directly from the NWA50AX - it was not processed.
    Here are similar raw messages captured from several devices:
    NWA50AX:
    <141>1 2023-12-18T23:10:03+00:00 2023 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx connected on Channel: 116, SSID: {ssid}, 5GHz, Signal: -72dBm, Interface: wlan-2-1" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxxx" cat="wlan"
    <141>1 2024-01-04T09:20:14+00:00 2024 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx connected on Channel: 116, SSID: {ssid}, 5GHz, Signal: -51dBm, Interface: wlan-2-1" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxxxx" cat="wlan"

  • aks
    aks Posts: 9  Freshman Member
    First Comment Friend Collector

    part 2:

    Netgear WAX615:
    <30>1 2023-12-19T00:53:58+00:00 wax615 hostapd - - - hostapd: wifi1vap0: STA xx:xx:xx:xx:xx:xx WPA: sending 1/2 msg of Group Key Handshake
    Sky hub router:
    <26>1 2024-01-04T09:16:54.000Z skyhub.ihr skyhttpd - - [skySDID@nnn mac="xxxxxxxxxxxx" sn="xxxxxxxxxxxx"] skyAdministrator login successful from IP: 192.168.0.2.

    You can observe the other devices format the date/time according to RFC5424, whereas the NWA50AX adds an additional year after the date/time field. The example above shows that the "additional" year now changed to 2024.
    Could you ask the team to check unprocessed syslog data - I am using the 'rsyslog' server running on QNAP NAS, it does not allow changing/formatting of the received syslog messages. The built-in viewer/display page is not correctly showing messages from NWA50AX, whereas from other devices the displayed information is correctly shown. I have copied the raw information from the log files directly.
    Thanks for checking.

  • Zyxel_Nami
    Zyxel_Nami Posts: 657  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited January 5

    Hi @aks

    To better assist you with the syslog format issue, could you please confirm if your device is managed in cloud mode via Nebula or in standalone mode?

    If managed via Nebula, please enable Zyxel Support Access for us to further investigate.

    If it's in standalone mode, let us know which log format you've selected, as shown in the screenshot.

    See how you've made an impact in Zyxel Community this year!

    https://bit.ly/Your2024Moments_Community

    Nami

  • aks
    aks Posts: 9  Freshman Member
    First Comment Friend Collector

    Hi Nami,

    Currently set to standalone mode VRPT/Syslog:

    I had tried both and settled on VRPT, I have included two examples below.

    Here is the VRPT/Syslog example:
    <141>1 2023-12-11T20:23:24+00:00 2023 NWA50AX - - - NWA50AX src="0.0.0.0:0" dst="0.0.0.0:0" msg="Station: xx:xx:xx:xx:xx:xx connected on Channel: 1, SSID: {ssid}, 2.4GHz, Signal: -47dBm, Interface: wlan-1-3" note="IEEE 802.11" user="unknown" devID="xxxxxxxxxx" cat="wlan"

    Here is the CEF/Syslog example:
    <149>1 2023-12-11T18:38:13+00:00 NWA50AX CEF - - - CEF:0|Zyxel|NWA50AX|6.29(ABYW.3)|0|wlan|5|src=0.0.0.0 dst=0.0.0.0 spt=0 dpt=0 msg=Station: xx:xx:xx:xx:xx:xx connected on Channel: 44, SSID: {ssid} 5GHz, Signal: -62dBm, Interface: wlan-2-1

  • Zyxel_Nami
    Zyxel_Nami Posts: 657  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hello @aks

    Thank you for the details you've provided.

    We've replicated the issue where an additional year is included in the VRPT log format. It will be resolved in a future firmware update.

    See how you've made an impact in Zyxel Community this year!

    https://bit.ly/Your2024Moments_Community

    Nami

  • aks
    aks Posts: 9  Freshman Member
    First Comment Friend Collector

    Thank you Nami, I look forward to the update to resolve this - hopefully not too long 😃!