Ruckus Wireless

LogZilla App Store application: Ruckus Wireless

Overview

Ruckus Wireless provides enterprise-grade Wi-Fi access points, controllers, and management software for high-density wireless deployments. Ruckus devices generate syslog messages for client authentication, association events, rogue AP detection, and system status. Operators monitor these logs to troubleshoot connectivity issues, detect security threats, and track client activity.

App Function

  • Parse Ruckus syslog messages for authentication and client activity events
  • Extract metadata tags for filtering and analysis
  • Categorize events by type (auth, network, security, config, system)
  • Detect rogue access points and ad-hoc networks

Vendor Documentation

Device Configuration

Configure Ruckus devices to send syslog messages to LogZilla:

ZoneDirector / Unleashed

  1. Log into the Ruckus web interface
  2. Navigate to Admin & Services > System > System Info
  3. Scroll to Log Settings section
  4. Enable Remote Syslog and enter the LogZilla server IP address
  5. Select log content: All Syslog, Client Connection Logs Only, or Client Flow Data Only
  6. Optionally enable Inherit remote syslog server for APs
  7. Configure Facility Name (Keep Original or select facility)
  8. Set Priority Level (All or specific level)

SmartZone

  1. Log into the SmartZone web interface
  2. Navigate to System > General Settings > Syslog
  3. Select Enable logging to remote syslog server
  4. Configure the primary syslog server:
    • Enter the LogZilla server IP address
    • Enter the port number (default: 514)
    • Select protocol (UDP or TCP)
    • Click Ping Syslog Server to verify connectivity
  5. Configure Facility (0-7)
  6. Configure Filter Severity (Debug recommended for full visibility)
  7. Select Event Filter:
    • All events - Recommended for full visibility
    • All events except client association/disassociation - Reduces volume
    • All events above a severity - Filter by severity level
  8. Click OK

Verification

Trigger a client authentication event, then verify events appear in LogZilla with the program name Ruckus.

Incoming Log Format

Ruckus syslog messages follow several formats depending on event type:

Authentication Events

text
<date> <device> User[<mac>] fails authentication in WLAN[<wlan>] from AP[<ap>]

Client Activity Events

text
<date> <device> User[<mac>] <action> WLAN[<wlan>] from AP[<ap>]

Rogue Detection Events

text
<date> <device> A new Rogue [<mac>] with SSID[<ssid>] is detected
  • date - Syslog timestamp
  • device - Ruckus controller or AP hostname
  • mac - Client MAC address
  • wlan - Wireless network name
  • ap - Access point name
  • action - Client action (joins, rejoins, leave, disconnects)
  • ssid - Detected SSID name

Parsed Metadata Fields

Tag NameExampleDescription
Event ClassauthCross-vendor event classification
Event Typelogin_failureSpecific event type (login_failure, intrusion)
SrcMAC00:11:22:33:44:55Client MAC address
Actionfails authenticationEvent action
Ruckus WLANGuestWireless network name
Ruckus APLobby-AP1Access point name
Ruckus SSIDCorporateDetected SSID (rogue events)
Ruckus Detection TypeRogueDetection type (Rogue, ad-hoc)
Ruckus BSSIDaa:bb:cc:dd:ee:ffBSSID for WLAN deployments
Ruckus Radioradio0Radio identifier
Ruckus ReasoninactivityDisconnect reason

MITRE ATT&CK Mappings

EventMITRE IDTactic
Rogue AP detectedT1200Initial Access
Ad-hoc network detectedT1200Initial Access
Authentication failureT1110Credential Access

Triggers

TriggerDescription
Ruckus: MITRE ATT&CK Threat DetectedCatch-all for any MITRE-mapped threat
Ruckus: Rogue AP or ad-hoc network detected (T1200)Rogue AP or ad-hoc network detected
Ruckus: Client authentication failure (T1110)Client authentication failure
Ruckus: Client join failureClient failed to join WLAN (capacity/config issue)

Log Examples

Authentication Failure

text
Nov 12 10:32:51 device1 User[00:11:22:33:44:55] fails authentication in WLAN[WLAN1] from AP[AP1] for [10 minutes]

Client Join

text
Nov  3 23:12:34 device1 User[aa:bb:cc:dd:ee:ff] joins WLAN[Guest] at AP[Lobby1]

Rogue AP Detection

text
Nov 10 10:30:15 localhost-1 A new Rogue [00:11:22:33:44:55] with SSID[evil_network] is detected

WLAN Deployment

text
Jan  1 00:00:00 device1 WLAN[wlan0] has been deployed on radio [radio0] of AP[ap1] with BSSID[00:11:22:33:44:55]
Ruckus Wireless | LogZilla Documentation