Meraki

Community

Event log / syslog

Adrian4
Head in the Cloud
‎Apr 3 2024 6:20 AM
‎Apr 3 2024 6:20 AM

Event log / syslog

Hello,

I am trying to get decent content filter and firewall log info but having a hard time. The meraki event log truncates the details so you cant see most of the message.

 

Everyone said to send the messages to a syslog so I set one up (Kiwi NG), however I am not seeing any content filter stuff and a suspiciously small amount of data in general.

I have selected everything possible in the meraki setup

Adrian4_0-1712150083014.png

but in the syslog server, in the last 24 hours there have been only 113 messages from 13 AP's - but we have nearly 80 AP's at this site and hundreds of staff.

The events are all flows or urls. Every flow is an allow (I cant believe there hasnt been a single block ).

Also - are the flows essentially the firewall rules? the message doesn't include any firewall rule name which is a major inconvenience and makes it very difficult to config rules to filter the logs for better clarity.

Also - theres no sign of any content filter events - are these the url events? If so, it looks like the messages are truncated at the same point they are on the dashboard 😞

Labels:
0 Kudos
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 3 2024 6:26 AM
‎Apr 3 2024 6:26 AM

It's probably a configuration issue in Kiwi Syslog.

Take a look at the documentation.

https://documentation.solarwinds.com/en/success_center/kss/content/kss_gsg_troubleshooting.htm

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Apr 3 2024 6:31 AM
‎Apr 3 2024 6:31 AM

To display firewall rules on the mx you need to activate the log part at the layer3 firewall rules.

But regardless it sounds like the syslog is not propperly configured like @alemabrahao says

In response to ww
Adrian4
Head in the Cloud
‎Apr 3 2024 7:12 AM
‎Apr 3 2024 7:12 AM

ah mint cheers. I saw someone mention that before and I looked and couldn't find the boxes. Must have been blind cos on second look there they are lol.

0 Kudos
Adrian4
Head in the Cloud
‎Apr 3 2024 7:11 AM
‎Apr 3 2024 7:11 AM

mmm i thought about that, but there really isnt much to configure. You just enable inbound UDP messages and tell it what port to listen to.

And its clearly working to some extent as its received 113 messages - but only from 13 APs out of 80 😞

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 3 2024 7:22 AM
‎Apr 3 2024 7:22 AM

It would be interesting for you to double check. In your place I would validate these two parts.

alemabrahao_0-1712153930178.pngalemabrahao_1-1712153956227.png

 

I've had similar problems and the problem has always been on the Kiwi Syslog side.

 

You can try with another syslog server.

 

I particularly like this one.

http://maxbelkov.github.io/visualsyslog/

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud
‎Apr 3 2024 8:18 AM
‎Apr 3 2024 8:18 AM

im using their shiny new "next generation" version 🎉 which significantly simplifies the interface and config. Iv already gone through their documentation and made sure the default rule is enabled and all that jazz.

ill try another logserver 😕

 

ta 

0 Kudos
Adrian4
Head in the Cloud
‎Apr 8 2024 3:14 AM
‎Apr 8 2024 3:14 AM

so events seem to be flowing in now - however I don't seem to be receiving anything from the security appliance (all roles have been selected in syslog settings).

I can see flows, urls, switch event log - but nothing from the appliance (specifically content filtering). I checked in meraki event log and can see that there are filter events all the time.

Do I have to enable something like I did for the firewall rules?

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 8 2024 3:28 AM
‎Apr 8 2024 3:28 AM

Is Traffic analysis enabled?

 

alemabrahao_0-1712572073623.png

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Apr 8 2024 5:27 AM
‎Apr 8 2024 5:27 AM

yes - set to basic. I just changed it to detailed but not sure that will help?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.