Working on forwarding syslog protocol log message to syslong-ng server.
I've got the configuration file in place but log location /var/log/meraki.log isn't recording any events/alerts.
server selinux is permissions and netstat shows its listention on 514. Meraki reporting syslog is setup correctly using ip and default 514
When i run packet capture using tcpdump, server is receiving messages, but none are being recorded in path defined on the syslog-ng.conf file
Any input is appreciated.
I've given it a go before but service will not start when using filter f_meraki { facility(meraki); };
Per journal log it seems to get stuck at that configuration.
Sample configs
source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/logs/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};
>port(15146))
It should be using port 500.
>It should be using port 500.
514 I think. or it can be changed in Meraki side to match 15146
Yea, i matched to what was setup on meraki 514... No dice... tail -f /var/log/meraki.log file still shows 0 bytes.. No writes
Is there a host-based firewall running on the server?
iptables inactive
selinux permissive
firewalld.service inactive
That seems to indicate the trouble is server side. Can you check anything else on the server?
For a sanity check you could use papertrailapp.com it is a free cloud syslog server and pretty quick and easy to configure and test with, if nothing else.
I hope you configured Syslog with the right configuration as described in Scenario 3 - Reachable via AutoVPN
Check this article as well, if you are inline with the configurations
https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/
The first url is for defined host IPs.
I'm sending from meraki cloud dashboard configuration page. Logs are hitting the server, it just not getting logged where I need them to be stored.
The second url you mentioned I keep running into following syntax error when restarting the service on the server.
filter f_meraki { facility(meraki); };
In that example, the author used "meraki" as a facility. There's no such thing.
Meraki defaults to local0 for the facility and this is not something that can be changed.