cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki Cloud | Syslog-ng | No log

cypher88
Just browsing

Meraki Cloud | Syslog-ng | No log

Working on forwarding syslog protocol log message to syslong-ng server. 

 

I've got the configuration file in place but log location /var/log/meraki.log isn't recording any events/alerts. 

 

server selinux is permissions and netstat shows its listention on 514. Meraki reporting syslog is setup correctly using ip and default 514

 

When i run packet capture using tcpdump, server is receiving messages, but none are being recorded in path defined on the syslog-ng.conf file

 

Any input is appreciated. 

12 REPLIES 12
KRobert
Head in the Cloud

Re: Meraki Cloud | Syslog-ng | No log

BrandonS
Kind of a big deal

Re: Meraki Cloud | Syslog-ng | No log

That seems to indicate the trouble is server side.  Can you check anything else on the server?

 

For a sanity check you could use papertrailapp.com it is a free cloud syslog server and pretty quick and easy to configure and test with, if nothing else.

 

 

Inderdeep
A model citizen

Re: Meraki Cloud | Syslog-ng | No log

I hope you configured Syslog with the right configuration as described in Scenario 3 - Reachable via AutoVPN

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv... 

 

Check this article as well, if you are inline with the configurations 

https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/ 

Regards
Inderdeep Singh
www.thenetworkdna.com
cypher88
Just browsing

Re: Meraki Cloud | Syslog-ng | No log

I've given it a go before but service will not start when using filter f_meraki { facility(meraki); };

 

Per journal log it seems to get stuck at that configuration. 

cypher88
Just browsing

Re: Meraki Cloud | Syslog-ng | No log

The first url is for defined host IPs. 

 

I'm sending from meraki cloud dashboard configuration page. Logs are hitting the server, it just not getting logged where I need them to be stored. 

 

The second url you mentioned I keep running into following syntax error when restarting the service on the server. 

 

filter f_meraki { facility(meraki); };

Inderdeep
A model citizen

Re: Meraki Cloud | Syslog-ng | No log

Sample configs 

 

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/logs/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Regards
Inderdeep Singh
www.thenetworkdna.com
PhilipDAth
Kind of a big deal

Re: Meraki Cloud | Syslog-ng | No log

>port(15146))

 

It should be using port 500.

BrandonS
Kind of a big deal

Re: Meraki Cloud | Syslog-ng | No log

>It should be using port 500.

 

514 I think. or it can be changed in Meraki side to match 15146

PhilipDAth
Kind of a big deal

Re: Meraki Cloud | Syslog-ng | No log

Oops, @BrandonS is correct.  It should be 514.

cypher88
Just browsing

Re: Meraki Cloud | Syslog-ng | No log

Yea, i matched to what was setup on meraki 514... No dice... tail -f /var/log/meraki.log file still shows 0 bytes.. No writes

PhilipDAth
Kind of a big deal

Re: Meraki Cloud | Syslog-ng | No log

Is there a host-based firewall running on the server?

cypher88
Just browsing

Re: Meraki Cloud | Syslog-ng | No log

iptables inactive

selinux permissive

firewalld.service inactive

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.