azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dafcec5bcec2c3329ff451fb761820249e3ddddc
claudetools/clients/cascades-tucson/docs/network/network-logging-plan.md
Howard Enos e0f9b1e221 sync: auto-sync from HOWARD-HOME at 2026-06-18 12:21:23 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-18 12:21:23
2026-06-18 12:22:42 -07:00

77 lines
5.4 KiB
Markdown
Raw Blame History

# Cascades — Network Logging / Observability Plan (SPEC — build later)
- **Created:** 2026-06-17 (Howard-Home / claude-main)
- **Status:** PLAN ONLY — no infra changes made. For a scheduled build.
- **Goal:** Capture + retain a searchable record of **device drops / kicks / disconnects** and the
telemetry to **root-cause the ongoing Cascades network issues** (2.4 GHz congestion, sticky
clients, roaming/min-RSSI deauths — see `reports/2026-06-16-unifi-full-audit.md`).
## The problem we found (2026-06-17)
- **The UniFi controller is NOT retaining client history.** A 7-day pull of the Cascades site's
`stat/event` AND `stat/alarm` returned **zero** records (auth/site fine — client/device queries
return data). So when a phone/device drops or is kicked, **nothing is recorded** -> the network
is a black box after the fact.
- **pfSense logs locally but in tiny circular buffers** (clog) that roll over in hours — no useful
history, no search.
- => We must **capture events at the source and ship them to a store with retention + search**.
pfSense and UniFi are log *sources*; neither is a retention/search platform on its own.
## Where the collector lives — decision
| Candidate | Verdict |
|---|---|
| **CS-SERVER** | **NO.** Fragile EOL DC (Dell R610, ~16 yr, **degraded OS RAID-1**, single-DC data-loss risk, I/O-bound). Adding syslog ingestion load is unacceptable. |
| **pfSense / UniFi alone** | Sources only. pfSense local retention ~hours; UniFi retains ~0 client events. Live view yes, forensics no. |
| **Synology cascadesDS (`192.168.0.120`)** | **PREFERRED on-site collector.** DSM up on :5001 (vault `clients/cascades-tucson/synology-cascadesds`). Built-in **Log Center** = a syslog server (retention + search + notifications), no Docker needed. Becoming backup-only anyway -> light syslog duty fits, keeps logs local + off CS-SERVER. |
| Jupiter (`172.16.3.20`, ACG office Docker) | Fallback if a richer stack (Graylog/Loki) is wanted; cross-site (Cascades -> office). Use only if on-site Synology is ruled out. |
**Recommendation:** Synology **Log Center** as the on-site syslog collector. If cascadesDS turns
out to be a Plus/x86 model with spare RAM, **Container Manager** can later add **Graylog** or
**Grafana Loki** for richer search/dashboards/alerting — but Log Center alone meets the core ask.
## Sources to configure (ship syslog -> Synology Log Center, UDP/TCP 514)
1. **pfSense** (`192.168.0.1`): Status -> System Logs -> Settings -> **Remote Logging**: server =
Synology IP:514; select **System, Firewall, DHCP, Gateway**. (DHCP lease grant/expire/decline =
device-drop + IP-churn signal; firewall = blocked traffic.)
2. **UniFi controller + Cascades APs** (UOS `172.16.3.29`, site `va6iba3v`): Settings -> System ->
enable **Remote Logging / syslog** to the Synology, include **client events / debug** so the
**APs emit assoc/DEAUTH-with-reason-code + RSSI-at-disconnect + roam** events — the gold data for
"who got kicked and why." Confirm AP syslog is forwarded (not just controller app log).
3. **(Optional) switches** — port up/down/flap events (the ~25 underspeed ports + 3 offline
switches in the audit are suspects).
## Client time-series snapshotter (fills the controller's history gap)
Because the controller isn't keeping client history, add a small **poller** (every 1-2 min) that
hits the controller API `/stat/sta` for the Cascades site and appends per-client rows:
`ts, mac, hostname, ap, band, channel, rssi, tx_retry%, satisfaction, is_wired`.
- **Where to run:** Synology Task Scheduler + a script, or a small container; or cross-site on
GuruRMM (`172.16.3.30`) via cron; or a coord-scheduled job. Store as SQLite/CSV (or into the
collector if Graylog/Loki is chosen).
- **Why:** lets us answer "did device X drop because RSSI cratered / it stuck to a far AP / 2.4 GHz
airtime saturated" — correlating drops with the documented RF problems. Pairs with the existing
`unifi-wifi` skill collectors (`watch-ap.sh`, `radio-usage.sh`, `neighbor-collect.sh`).
## Alerting (phase 2)
From Log Center (or Graylog/Loki): notify (Discord via `post-bot-alert.sh` / `discord-dm`) on AP
reboot, switch-port flap, repeated deauths for a tracked device, or DHCP pool pressure.
## Retention
Target 30-90 days searchable (HIPAA-adjacent network metadata; no PHI in syslog). Size the Synology
Log Center archive / volume accordingly; rotate/compress older.
## Build steps (when scheduled)
1. Confirm cascadesDS **model + RAM + DSM version** (determines Log Center-only vs Container Manager
for Graylog/Loki). Cred: vault `clients/cascades-tucson/synology-cascadesds`.
2. Install/enable **Log Center** (Package Center) -> enable **syslog server** (514), set retention.
3. Point **pfSense** remote syslog at it (sources above) — verify receipt.
4. Enable **UniFi controller + AP** remote syslog (with client/deauth events) — verify AP deauth
events arrive with reason + RSSI.
5. Deploy the **client snapshotter** (cron/Task Scheduler) — verify rows accumulating.
6. (Optional) Container Manager -> Graylog/Loki+Grafana for dashboards; wire alerting.
7. Validate: force a test device off WiFi -> confirm a searchable deauth event with reason + RSSI.
## Open items
- Confirm cascadesDS model/RAM/Docker capability (step 1).
- Confirm no PHI traverses syslog (network metadata only) for the HIPAA file.
- Decide retention window + alert thresholds.
- If on-site is rejected -> fall back to Jupiter (Graylog/Loki) cross-site.
Reference in New Issue View Git Blame Copy Permalink