Meraki Cloud | Syslog-ng | No log

cypher88
Just browsing

Meraki Cloud | Syslog-ng | No log

Working on forwarding syslog protocol log message to syslong-ng server. 

 

I've got the configuration file in place but log location /var/log/meraki.log isn't recording any events/alerts. 

 

server selinux is permissions and netstat shows its listention on 514. Meraki reporting syslog is setup correctly using ip and default 514

 

When i run packet capture using tcpdump, server is receiving messages, but none are being recorded in path defined on the syslog-ng.conf file

 

Any input is appreciated. 

13 REPLIES 13
KRobert
Head in the Cloud

I've given it a go before but service will not start when using filter f_meraki { facility(meraki); };

 

Per journal log it seems to get stuck at that configuration. 

Inderdeep
Kind of a big deal
Kind of a big deal

Sample configs 

 

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/logs/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

>port(15146))

 

It should be using port 500.

BrandonS
Kind of a big deal

>It should be using port 500.

 

514 I think. or it can be changed in Meraki side to match 15146

- Ex community all-star (⌐⊙_⊙)
PhilipDAth
Kind of a big deal
Kind of a big deal

Oops, @BrandonS is correct.  It should be 514.

Yea, i matched to what was setup on meraki 514... No dice... tail -f /var/log/meraki.log file still shows 0 bytes.. No writes

PhilipDAth
Kind of a big deal
Kind of a big deal

Is there a host-based firewall running on the server?

iptables inactive

selinux permissive

firewalld.service inactive

BrandonS
Kind of a big deal

That seems to indicate the trouble is server side.  Can you check anything else on the server?

 

For a sanity check you could use papertrailapp.com it is a free cloud syslog server and pretty quick and easy to configure and test with, if nothing else.

 

 

- Ex community all-star (⌐⊙_⊙)
Inderdeep
Kind of a big deal
Kind of a big deal

I hope you configured Syslog with the right configuration as described in Scenario 3 - Reachable via AutoVPN

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv... 

 

Check this article as well, if you are inline with the configurations 

https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/ 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

The first url is for defined host IPs. 

 

I'm sending from meraki cloud dashboard configuration page. Logs are hitting the server, it just not getting logged where I need them to be stored. 

 

The second url you mentioned I keep running into following syntax error when restarting the service on the server. 

 

filter f_meraki { facility(meraki); };

JonH
Meraki Employee
Meraki Employee

In that example, the author used "meraki" as a facility. There's no such thing.

 

Meraki defaults to local0 for the facility and this is not something that can be changed.

Get notified when there are additional replies to this discussion.