Meraki

cypher88 · ‎Apr 8 2021

Working on forwarding syslog protocol log message to syslong-ng server.

I've got the configuration file in place but log location /var/log/meraki.log isn't recording any events/alerts.

server selinux is permissions and netstat shows its listention on 514. Meraki reporting syslog is setup correctly using ip and default 514

When i run packet capture using tcpdump, server is receiving messages, but none are being recorded in path defined on the syslog-ng.conf file

Any input is appreciated.

KRobert · ‎Apr 8 2021

This may help. https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/

CMNO, CCNA R+S

cypher88 · ‎Apr 8 2021

I've given it a go before but service will not start when using filter f_meraki { facility(meraki); };

Per journal log it seems to get stuck at that configuration.

Inderdeep · ‎Apr 8 2021

Sample configs

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/logs/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

PhilipDAth · ‎Apr 8 2021

>port(15146))

It should be using port 500.

BrandonS · ‎Apr 8 2021

>It should be using port 500.

514 I think. or it can be changed in Meraki side to match 15146

- Ex community all-star (⌐⊙_⊙)

PhilipDAth · ‎Apr 8 2021

Oops, @BrandonS is correct. It should be 514.

cypher88 · ‎Apr 8 2021

Yea, i matched to what was setup on meraki 514... No dice... tail -f /var/log/meraki.log file still shows 0 bytes.. No writes

PhilipDAth · ‎Apr 8 2021

Is there a host-based firewall running on the server?

cypher88 · ‎Apr 8 2021

iptables inactive

selinux permissive

firewalld.service inactive

BrandonS · ‎Apr 8 2021

That seems to indicate the trouble is server side. Can you check anything else on the server?

For a sanity check you could use papertrailapp.com it is a free cloud syslog server and pretty quick and easy to configure and test with, if nothing else.

- Ex community all-star (⌐⊙_⊙)

Inderdeep · ‎Apr 8 2021

I hope you configured Syslog with the right configuration as described in Scenario 3 - Reachable via AutoVPN

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

Check this article as well, if you are inline with the configurations

https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

cypher88 · ‎Apr 8 2021

The first url is for defined host IPs.

I'm sending from meraki cloud dashboard configuration page. Logs are hitting the server, it just not getting logged where I need them to be stored.

The second url you mentioned I keep running into following syntax error when restarting the service on the server.

filter f_meraki { facility(meraki); };

Jon_Hartman · ‎Aug 7 2023

In that example, the author used "meraki" as a facility. There's no such thing.

Meraki defaults to local0 for the facility and this is not something that can be changed.

Meraki

Community

Meraki Cloud | Syslog-ng | No log

Meraki Cloud | Syslog-ng | No log