Meraki

Community

Meraki syslog messages are confusing

Adrian4
Head in the Cloud
‎Sep 11 2024 1:38 AM
‎Sep 11 2024 1:38 AM

Meraki syslog messages are confusing

Hello,

Since meraki logs seem to truncate the useful portion of most messages, I am sending "flows, urls and security events" to a syslog server.

However, "flow" isnt really a helpful category. Apparently some things have been split into more useful labels

Adrian4_0-1726043789996.png

but im still seeing thousands of messages marked as "flow" - what does this actually mean? 

 

 

Another issue I have is finding the content filter logs. Int eh dashboard they are clearly marked as 

FilteringContent filtering blocked URL


and there are lots of logs, but I cant see anything int eh syslog server with "content filter" in the message. How do I find these?

Labels:
0 Kudos
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
‎Sep 11 2024 2:32 AM
‎Sep 11 2024 2:32 AM

What mx device and firmware you have?

 

Do you also have a MR ? Mr should still send flow logging

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_...

 

A flow is basically every new session a client makes

https://community.meraki.com/t5/Wireless/What-Is-Flows/td-p/36277

In response to ww
Adrian4
Head in the Cloud
‎Sep 11 2024 2:51 AM
‎Sep 11 2024 2:51 AM

hello,
we have mostly MX250's on 18.211.2    and MR46's

basically, I want to be able to whatever traffic is being blocked. Id like to know, what did the blocking (was it the content filter or firewall? if its a firewall rule, which rule), also exactly what url / ip /whatever was blocked.


Right now I have lots of logs that say "flows deny" with a src/dst ip, a mac and a protocol. - What is that? Is that a firewall rule? which firewall? which rule?

In my MX firewall rules I have selected certain ones to log to syslog  how do i find those in the logs?

how do i see what the content filter is blocking?


thanks!

0 Kudos
In response to Adrian4
ntuccillo
Here to help
‎Sep 11 2024 7:13 AM
‎Sep 11 2024 7:13 AM

Adrian,

 

For the "Flows Deny" that sounds like the ACLs in effect. This includes the switching ACLs and MR ACLs.  Meraki will not block any LAN/Outbound connections unless you specifically state to do so. By default, it's in an allow state. However, for the MRs, it will automatically block LAN connections. You'd have to go into Wireless -> Firewall & Traffic Shaping, then check those rules.

 

For all inbound traffic being blocked, you can view the Security Center in Security & SD-Wan -> Security Center. You can see what is being blocked through the content filter, and what is being blocked in general based on pre-defined rules via Snort. You can also see these logs in Network-Wide -> Event Log.

 

Hopefully this information helps.

In response to ntuccillo
Adrian4
Head in the Cloud
‎Sep 11 2024 7:16 AM
‎Sep 11 2024 7:16 AM

Hi, thanks for the reply - but this is about syslog messages.

If the meraki logs didnt truncate the messages, then there would be no need for the syslog server but since they do, I need to understand what is generating the messages (which firewall, which rule, whats the content filter doing?).

0 Kudos
In response to Adrian4
ntuccillo
Here to help
‎Sep 11 2024 7:43 AM
‎Sep 11 2024 7:43 AM

My apologies, I need to read better. For "Flows Deny", I am 99% certain that it's going to be an inbound connection from an external IP. We get tons of them every day. I can't give you any other information on Syslog. We let our SIEM translate it. I'm sorry.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.