Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Event log / syslog

Adrian4
A model citizen
4 weeks ago
4 weeks ago

Event log / syslog

Hello,

I am trying to get decent content filter and firewall log info but having a hard time. The meraki event log truncates the details so you cant see most of the message.

 

Everyone said to send the messages to a syslog so I set one up (Kiwi NG), however I am not seeing any content filter stuff and a suspiciously small amount of data in general.

I have selected everything possible in the meraki setup

Adrian4_0-1712150083014.png

but in the syslog server, in the last 24 hours there have been only 113 messages from 13 AP's - but we have nearly 80 AP's at this site and hundreds of staff.

The events are all flows or urls. Every flow is an allow (I cant believe there hasnt been a single block ).

Also - are the flows essentially the firewall rules? the message doesn't include any firewall rule name which is a major inconvenience and makes it very difficult to config rules to filter the logs for better clarity.

Also - theres no sign of any content filter events - are these the url events? If so, it looks like the messages are truncated at the same point they are on the dashboard 😞

Labels:
0 Kudos
Subscribe
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

It's probably a configuration issue in Kiwi Syslog.

Take a look at the documentation.

https://documentation.solarwinds.com/en/success_center/kss/content/kss_gsg_troubleshooting.htm

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

To display firewall rules on the mx you need to activate the log part at the layer3 firewall rules.

But regardless it sounds like the syslog is not propperly configured like @alemabrahao says

Subscribe
In response to ww
Adrian4
A model citizen
4 weeks ago
4 weeks ago

ah mint cheers. I saw someone mention that before and I looked and couldn't find the boxes. Must have been blind cos on second look there they are lol.

0 Kudos
Subscribe
Adrian4
A model citizen
4 weeks ago
4 weeks ago

mmm i thought about that, but there really isnt much to configure. You just enable inbound UDP messages and tell it what port to listen to.

And its clearly working to some extent as its received 113 messages - but only from 13 APs out of 80 😞

0 Kudos
Subscribe
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

It would be interesting for you to double check. In your place I would validate these two parts.

alemabrahao_0-1712153930178.pngalemabrahao_1-1712153956227.png

 

I've had similar problems and the problem has always been on the Kiwi Syslog side.

 

You can try with another syslog server.

 

I particularly like this one.

http://maxbelkov.github.io/visualsyslog/

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Adrian4
A model citizen
4 weeks ago
4 weeks ago

im using their shiny new "next generation" version 🎉 which significantly simplifies the interface and config. Iv already gone through their documentation and made sure the default rule is enabled and all that jazz.

ill try another logserver 😕

 

ta 

0 Kudos
Subscribe
Adrian4
A model citizen
3 weeks ago
3 weeks ago

so events seem to be flowing in now - however I don't seem to be receiving anything from the security appliance (all roles have been selected in syslog settings).

I can see flows, urls, switch event log - but nothing from the appliance (specifically content filtering). I checked in meraki event log and can see that there are filter events all the time.

Do I have to enable something like I did for the firewall rules?

0 Kudos
Subscribe
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Is Traffic analysis enabled?

 

alemabrahao_0-1712572073623.png

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Adrian4
A model citizen
3 weeks ago
3 weeks ago

yes - set to basic. I just changed it to detailed but not sure that will help?

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.