@j4nd3r53n 

You could enable logging services to an external or internal logging server.  AND also enable SNMP/Logging.  That will give you all the data you need. 

  @j4nd3r53n 

If the 'Omada Web App' means you have an Omada controller there is a much easier way to do this.  The controller tracks individual client (IP) stats both in near-realtime and also historical aggregates.  If the high traffic pattern is nightly , or almost every night, you can log in and see which clients are consuming what bitrate (you can sort by highest bitrate) and you determine if it's primarily inbound or outbound traffic.  If it only happens for a few hours in the middle of the night, then take a snapshot of the client aggregate data at 6pm and 6am, and see which clients jump up the most overnight. You may have to customize the columns in the Clients table to get the fields you need, and you can further narrow things down by noting which clients are attached to the AP reporting the high traffic volumes.  All of the above should tell you if its a compromised internal machine or an unauthorized device.  Keep in mind that some devices, iphones in particular I think, randomize their WiFi MAC addresses (so differnent IP per) to prevent 'tracking', which in itself tells you quite a bit.