Log Server for Firewall Rule Logs

Solved
Fabian1
Getting noticed

Log Server for Firewall Rule Logs

Hi everyone,

 

I need to get the logs from our MX and need to take a deeper look what IPs are blocked from the firewall.

Therefor I would like to set up a log server. Is Elasticsearch still state of the art or do you have other recommendations?

I could also use AWS native services, but couldn't find anything that fits right out of the box.

 

Best

Fabian

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

I like GrayLog. There is a free Small-Business edition for up to 5GB/day.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

15 Replies 15
Inderdeep
Kind of a big deal
Kind of a big deal

@Fabian1 : Have a look 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
BrandonS
Kind of a big deal

I like https://papertrailapp.com

- Ex community all-star (⌐⊙_⊙)
KarstenI
Kind of a big deal
Kind of a big deal

I like GrayLog. There is a free Small-Business edition for up to 5GB/day.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DarrenOC
Kind of a big deal
Kind of a big deal

As @KarstenI states Graylog is pretty useful. Spin up the free version and see how much data your MX is spitting out as per the 5Gb limit for the free version.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
CptnCrnch
Kind of a big deal
Kind of a big deal

I fiddled around with Graylog as well as Splunk and found the latter to be way more performant. The free license offers up to 500MB per day, which is a lot for small environments.

KarstenI
Kind of a big deal
Kind of a big deal

I used Splunk some time ago (and just now I am wearing a Splunk T-Shirt 😀). I really liked it but the free version didn't have any Access-Control. Is that still the case now?

Probably not really important as either are typically operated behind a reverse-proxy. I normally use NGINX on the same VM for this.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
CptnCrnch
Kind of a big deal
Kind of a big deal

True, you still don't get their "native" access control with the free version. That reminds me that I always wanted to try to comine Authelia with it.

 

Aprt from that, their shirts are still way cool 😄

KarstenI
Kind of a big deal
Kind of a big deal

Authelia looks very promising. Need to test that when I have some spare time!

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
MerryAki
Building a reputation

Whoop.

 

First post regarding Authelia. Will see how I can integrate it in the Dashboard etc. 🙂

Fabian1
Getting noticed

I installed Graylog, thanks for your help!

The installation is pretty straight forward and has a very nice gui.

 

I'm just wondering that there are no logs where I can see which traffic was blocked or allowed through the MX.

On other firewalls I can see which rule traffic passes or blocks...

 

Am I missing something here?

CptnCrnch
Kind of a big deal
Kind of a big deal

I guess you're missing something here. Here's how it should like (see also https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...😞

 

Inbound Flow:

192.168.10.1 1 948077334.886213117 MX60 flows src=39.41.X.X dst=114.18.X.X protocol=udp sport=13943 dport=16329 pattern: 1 all

Outbound Flow:

192.168.10.1 1 948136486.721741837 MX60 flows src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

Summary: 

The inbound flow example shows a blocked UDP flow from 39.41.X.X to the WAN IP of the MX. The outbound flow shows an allowed outbound flow for a DNS request.   

How does your Syslog configuration look like?

Fabian1
Getting noticed

Oh Yeah I found some of these, unfortunately just a few

 

<134>1 1636619339.383779076 DE_WASTE_BIO_SCHKO_01_MX001 flows src=10.X.X.X dst=10.X.X.X mac=X:X:X:X protocol=tcp sport=54082 dport=13000 pattern: 0 all

 

But most look like this:

 

<134>1 1636619576.273300189 DE_WASTE_WSM_BERNB_01_MX001 ip_flow_start src=172.X.X.X dst=8.8.8.8 protocol=udp sport=33014 dport=53 translated_src_ip=192.X.X.X translated_port=33014

 

Maybe because most of the logs are stateless and not firewall relevant?  

Bruce
Kind of a big deal

Do you have logging/syslog enabled for the firewall rules? There is a check box on the firewall rules that needs to be checked to enable Syslog generation by the rule.

Fabian1
Getting noticed

Oh my...

Yes, the checkbox was missing. Now I can see the logs of the firewall rules.

 

Thanks a lot!

Dunky
Head in the Cloud

I use Visual Syslog Server for Windows (maxbelkov.github.io) [which is free] installed on an on-prem PC/server and does not have any bandwidth restrictions.

Get notified when there are additional replies to this discussion.