Connect Cisco MX100 Syslogs to Azure Sentinel

SOLVED
Greg2
Here to help

Connect Cisco MX100 Syslogs to Azure Sentinel

I'm not able to get Syslogs from my Meraki MX100 into Azure Sentinel

 

I've setup a VM on my LAN and installed the Azure agent. I can see hearbeat messages from the agent into Azure. 

 

I've configured the Meraki to send all available syslog messages to the VM but I can't see those messages in Azure. 

 

Does anyone have any experience in getting syslogs into Azure Sentinel?

 

 

1 ACCEPTED SOLUTION

I've managed to get this working 

 

I followed your suggestion of replacing rsyslog with syslog-ng. I'm not conviced this was required but hey..

 

It seems I was sending the syslog data to a log file when I needed to send it to the Azure agent listening on port 25224 on the local machine

 

As well as adding the details listed under Option 1 in the syslog-ng article you linked to, I also changed the line 

 

destination df_meraki { file("/var/log/meraki.log"); };

 

to

 

destination df_meraki { udp("127.0.0.1" port(25224)); };

 

I found an MS article detailing how to configure syslogs for Azure monitor which pointed me to this line change

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

View solution in original post

10 REPLIES 10
CptnCrnch
Kind of a big deal

First and foremost: are messages received on the agent?

Thanks for replying

 

I don't know how to tell. I've installed the agent on Ubunutu 

ok - this is a snippet from /var/logs/syslog

 

Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.7976] dhcp4 (ens160): option dhcp_lease_time => '86400'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option domain_name_servers => '<IP_redacted>'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option expiry => '1599089654'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option ip_address => '<IP_redacted>'

 

Does this mean that meraki messages are reaching the agent?

 

SoCalRacer
Kind of a big deal

It would be really nice to have some official Meraki documentation on this and other cloud options for syslog storage.

 

From my understanding you may need to allow port 514 on the NSG on the VM in Azure.

I'm using an on-prem VM

SoCalRacer
Kind of a big deal

I thought the intent from MS was that the VM was supposed to be in Azure and that handled the queue of events and then pushed them to Sentinel

 

https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-the-connectors-grand-cef-syslog...

 

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

URL
Any HTTP GET requests will generate a syslog entry.

 

Example:

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

 

When configuring a SYSLOG data source in Azure you get the option to install on a non Azure machine

 

Greg2_0-1599061391654.png

 

I' ve discovered I'm using rsyslogd but having issues configuring the service to accept messages from the Meraki

 

Does anyone know how to do this?

SoCalRacer
Kind of a big deal

I've managed to get this working 

 

I followed your suggestion of replacing rsyslog with syslog-ng. I'm not conviced this was required but hey..

 

It seems I was sending the syslog data to a log file when I needed to send it to the Azure agent listening on port 25224 on the local machine

 

As well as adding the details listed under Option 1 in the syslog-ng article you linked to, I also changed the line 

 

destination df_meraki { file("/var/log/meraki.log"); };

 

to

 

destination df_meraki { udp("127.0.0.1" port(25224)); };

 

I found an MS article detailing how to configure syslogs for Azure monitor which pointed me to this line change

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

View solution in original post

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.