Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki Cloud | Syslog-ng | No log

cypher88
Just browsing
‎Apr 8 2021 9:14 AM
‎Apr 8 2021 9:14 AM

Meraki Cloud | Syslog-ng | No log

Working on forwarding syslog protocol log message to syslong-ng server. 

 

I've got the configuration file in place but log location /var/log/meraki.log isn't recording any events/alerts. 

 

server selinux is permissions and netstat shows its listention on 514. Meraki reporting syslog is setup correctly using ip and default 514

 

When i run packet capture using tcpdump, server is receiving messages, but none are being recorded in path defined on the syslog-ng.conf file

 

Any input is appreciated. 

0 Kudos
Subscribe
13 Replies 13
KRobert
Head in the Cloud
‎Apr 8 2021 9:19 AM
‎Apr 8 2021 9:19 AM

This may help. https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/
CMNO, CCNA R+S
0 Kudos
Subscribe
In response to KRobert
cypher88
Just browsing
‎Apr 8 2021 9:24 AM
‎Apr 8 2021 9:24 AM

I've given it a go before but service will not start when using filter f_meraki { facility(meraki); };

 

Per journal log it seems to get stuck at that configuration. 

0 Kudos
Subscribe
In response to cypher88
Inderdeep
Kind of a big deal
Kind of a big deal
‎Apr 8 2021 9:27 AM
‎Apr 8 2021 9:27 AM

Sample configs 

 

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/logs/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
Subscribe
In response to Inderdeep
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 8 2021 10:20 AM
‎Apr 8 2021 10:20 AM

>port(15146))

 

It should be using port 500.

0 Kudos
Subscribe
In response to PhilipDAth
BrandonS
Kind of a big deal
‎Apr 8 2021 10:30 AM
‎Apr 8 2021 10:30 AM

>It should be using port 500.

 

514 I think. or it can be changed in Meraki side to match 15146

- Ex community all-star (⌐⊙_⊙)
0 Kudos
Subscribe
In response to BrandonS
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 8 2021 10:42 AM
‎Apr 8 2021 10:42 AM

Oops, @BrandonS is correct.  It should be 514.

0 Kudos
Subscribe
In response to BrandonS
cypher88
Just browsing
‎Apr 8 2021 10:43 AM
‎Apr 8 2021 10:43 AM

Yea, i matched to what was setup on meraki 514... No dice... tail -f /var/log/meraki.log file still shows 0 bytes.. No writes

0 Kudos
Subscribe
In response to cypher88
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 8 2021 10:46 AM
‎Apr 8 2021 10:46 AM

Is there a host-based firewall running on the server?

0 Kudos
Subscribe
In response to PhilipDAth
cypher88
Just browsing
‎Apr 8 2021 10:50 AM
‎Apr 8 2021 10:50 AM

iptables inactive

selinux permissive

firewalld.service inactive

0 Kudos
Subscribe
BrandonS
Kind of a big deal
‎Apr 8 2021 9:20 AM
‎Apr 8 2021 9:20 AM

That seems to indicate the trouble is server side.  Can you check anything else on the server?

 

For a sanity check you could use papertrailapp.com it is a free cloud syslog server and pretty quick and easy to configure and test with, if nothing else.

 

 

- Ex community all-star (⌐⊙_⊙)
0 Kudos
Subscribe
Inderdeep
Kind of a big deal
Kind of a big deal
‎Apr 8 2021 9:20 AM
‎Apr 8 2021 9:20 AM

I hope you configured Syslog with the right configuration as described in Scenario 3 - Reachable via AutoVPN

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv... 

 

Check this article as well, if you are inline with the configurations 

https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/ 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
Subscribe
In response to Inderdeep
cypher88
Just browsing
‎Apr 8 2021 9:25 AM
‎Apr 8 2021 9:25 AM

The first url is for defined host IPs. 

 

I'm sending from meraki cloud dashboard configuration page. Logs are hitting the server, it just not getting logged where I need them to be stored. 

 

The second url you mentioned I keep running into following syntax error when restarting the service on the server. 

 

filter f_meraki { facility(meraki); };

0 Kudos
Subscribe
In response to cypher88
JonH
Meraki Employee
Meraki Employee
‎Aug 7 2023 10:17 AM
‎Aug 7 2023 10:17 AM

In that example, the author used "meraki" as a facility. There's no such thing.

 

Meraki defaults to local0 for the facility and this is not something that can be changed.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.