Mapping the wlceventd logs and their wlceventd_proc_event

Question

I'm trying to monitor the logs that my Asus router are generating, so I can react on certain events.

Some of the interesting ones are from the Wireless LAN Controller event daemon (wlceventd), e.g. Disassoc - devices are leaving Wi-Fi:

wlceventd: wlceventd_proc_event(511): eth7: Disassoc AB:CD:EF:01:23:45, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0

I noticed that the wlceventd_proc_event seems to indicate the type of event that is logged. The 511 always seems to be Disassoc events.

I have been trying to locate the specifications of the wlceventd logs. The AsusWRT-Merlin source repository only contains the binaries of wlceventd.

What kind of wlceventd_proc_event types are there? What is the structure of the log lines? What are the different parts, e.g. eth7, status, rssi?

Answer 1

Welcome to the community.

The structure of the log message is:

• Source (wlceventd daemon)
• Message type (wlceventd_proc_event)
• Event ID (511) The IDs are not standardized across devices/manufacturers/versions/etc
• Event location (eth7) The ID the system uses to identify this radio. This isn't standardized either, ethN is just how this system refers to them.
• Event (Disassociation of client AB:CD:EF:01:23:45)
• Event status (0 = success)
• Event reason (client left the Basic Service Set the AP offers)
• Current RSSI (Received Signal Strength Indicator) As the client's left the BSS, the radio isn't receiving a signal from it anymore, thus RSSI = 0.

The most relevant parts of the message start from the event location. The reason and status codes are standardized by 802.11.

• This Cisco Meraki page describes the 802.11 association process.
• This Aruba page shows the reason and status codes - these are basically the possible event types. If the network uses RADIUS, TACACS or similar to authenticate clients/users, also 802.1X authentication events will be present.
• Here are the reason and status codes from Cisco community - more legible but lacking the extra info Aruba page offers. Note that the many "NOT SUPPORTED" -explanations refer only to specific Cisco devices.