In this blog post I’m showing how to get Wireless Intrusion Detection Events from Cisco’s WIDS included in Cisco’s Wireless Controllers into an Elastic-Stack.
The architecture might look like this:
The Wireless Access points are generating Events from Radio, Client, CleanAir, and so on
The Wireless Controllers are sending those events by SNMP-Traps to a central Trap-Collector
Logstash is acting as the central SNMP-Trap-Collector and sends the events to an Elastic-Stack
Kibana is used to view the generated events and Graphs in a Dashboard
This drawing illustrates the architecture described above:
Note: SNMP works at udp/161, SNMP-Traps work at udp/162!
Configuring Cisco WLC to send SNMP-Traps to Logstash
The Events collected by the Cisco WLCWIDS are not send as syslog messages but as SNMP-Traps. The Cisco WLC is acting here as a SNMP-Agent and sends it’s WIDS events to a SNMP-Manager, the SNMP-Manager in this case will be Logstash.
To configure the SNMP-Trap receiver on command line:
To configure the SNMP-Trap receiver by Web-UI:
SNMP-MIBS used by Cisco WLC-IDS events
Cisco provides at Cisco Wireless LAN Controller Software / Error and System Messages a list of SNMP-Traps in which the used MIB’s (Management information base) can be identified. Based on those MIB’s, the identifiers can be extracted with the libsmi tools. Those extracted SMI identifiers (Structure of Management Information) can be “converted” into a YAML format which is used by Logstash.
Instead of doing the manual “conversion” from SMI to YAML, you can also search the internet or use the YAML files I’m providing at by GitHub at: security/Cisco-WLC-IDS
Configuring Logstash with SNMP-Trap Input module
A simple SNMP-Trap input module configuration for Logstash might look like this:
Please note that Logstash (written in Java) requires root permission to listen on privileged ports (<1024). Therefore Logstash’s SNMP-Trap input module is listening on udp/11162 instead of udp/162.
yamlmibdir might point to some other directory, based on the Linux System or version installed. For Debian 11 Bullseye, it’s the directory shown in the configuration file.
type identifies the SNMP-Traps as index in the Elastic-Stack.
When the configuration file is completed, Logstash can be restarted with systemctl restart logstash.
Creating Kibana Index Pattern for WLC-IDS events
The next step is to verify if the index configured in Logstash is available in Elastic-Stack. To check the existence of the index wlcids_snmptrap just check it in “Management > Data > Index Management”.
To use the events collected by Logstash in a Kibana Dashboard, an index pattern for the WLCIDS events must be created. This index can be created in “Managemet > Kibana > Index Patterns”.
Creating Kibana Dashboard for WLC-IDS events
Based on the created Kibana Index Pattern, a Dashboard with some lenses can be created. For example I’m using a lens called “WLC-IDS: Wireless Controllers” which shows how much SNMP-Traps are created by Wireless Controller (useful if more than one).
Or “WLC-IDS: SNMP-Trap Events by Type” to get an overview of the Event Types like SignatureAttackDetected or a simple seaach with the “WLC-IDS: SNMP-Trap OID’s” for a textual representation of the Events.