Logging Wireless Access Points vs. Controllers
We have a combination of lightweight access points (LWAPs) supported by centrallized controllers. Currently we're getting logs from both the controllers and the LWAPs sent to enVision. This causes some challenges as the LWAPs are DHCP addressed and pop up and down in a somewhat chaotic fashion, causing our device list to expand quite a bit and our license to be depleted. Looking at the logs generated, most of the security elements that I'm interested in (primarily authentication info) looks to come from the controller, with little of value from the LWAPs themselves (primarily Cisco, but some other vendors as well). I'm considering having the LWAPs stop feeding into enVision and concentrate only on the controllers.
Have others tackled enterprise wireless deployments of this sort? Have you come to the same (or different) conclusions?
Some things to think about.. what is the intent to moinitor? Audit reasons? security monitoring? Full blown SIEM purposes? What are the common attack vectors within wireless? will the controller onnly pickup on the common wireless attacks, and or need the AP's? Try the various attack scenario's via Backtrack and determine what get's logged and where (Simulate attack). That would tell you if you are logging the correct components of the wireless infrastructure or not.