Meraki

Community

Log Server for Firewall Rule Logs

Solved
Fabian1
Getting noticed
‎Nov 1 2021 5:33 AM
‎Nov 1 2021 5:33 AM

Log Server for Firewall Rule Logs

Hi everyone,

 

I need to get the logs from our MX and need to take a deeper look what IPs are blocked from the firewall.

Therefor I would like to set up a log server. Is Elasticsearch still state of the art or do you have other recommendations?

I could also use AWS native services, but couldn't find anything that fits right out of the box.

 

Best

Fabian

Labels:
0 Kudos
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 1 2021 10:12 AM
‎Nov 1 2021 10:12 AM

I like GrayLog. There is a free Small-Business edition for up to 5GB/day.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

15 Replies 15
Inderdeep
Kind of a big deal
‎Nov 1 2021 6:33 AM
‎Nov 1 2021 6:33 AM

@Fabian1 : Have a look 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

 

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
0 Kudos
BrandonS
Kind of a big deal
‎Nov 1 2021 9:18 AM
‎Nov 1 2021 9:18 AM

I like https://papertrailapp.com

- Ex community all-star (⌐⊙_⊙)
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 1 2021 10:12 AM
‎Nov 1 2021 10:12 AM

I like GrayLog. There is a free Small-Business edition for up to 5GB/day.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
DarrenOC
Kind of a big deal
Kind of a big deal
‎Nov 1 2021 11:14 AM
‎Nov 1 2021 11:14 AM

As @KarstenI states Graylog is pretty useful. Spin up the free version and see how much data your MX is spitting out as per the 5Gb limit for the free version.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
CptnCrnch
Kind of a big deal
‎Nov 2 2021 7:51 AM
‎Nov 2 2021 7:51 AM

I fiddled around with Graylog as well as Splunk and found the latter to be way more performant. The free license offers up to 500MB per day, which is a lot for small environments.

0 Kudos
In response to CptnCrnch
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 2 2021 8:32 AM
‎Nov 2 2021 8:32 AM

I used Splunk some time ago (and just now I am wearing a Splunk T-Shirt 😀). I really liked it but the free version didn't have any Access-Control. Is that still the case now?

Probably not really important as either are typically operated behind a reverse-proxy. I normally use NGINX on the same VM for this.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
CptnCrnch
Kind of a big deal
‎Nov 2 2021 8:43 AM
‎Nov 2 2021 8:43 AM

True, you still don't get their "native" access control with the free version. That reminds me that I always wanted to try to comine Authelia with it.

 

Aprt from that, their shirts are still way cool 😄

In response to CptnCrnch
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 2 2021 8:53 AM
‎Nov 2 2021 8:53 AM

Authelia looks very promising. Need to test that when I have some spare time!

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to CptnCrnch
MerryAki
Building a reputation
‎Jun 19 2023 11:59 PM
‎Jun 19 2023 11:59 PM

Whoop.

 

First post regarding Authelia. Will see how I can integrate it in the Dashboard etc. 🙂

0 Kudos
Fabian1
Getting noticed
‎Nov 10 2021 11:23 PM
‎Nov 10 2021 11:23 PM

I installed Graylog, thanks for your help!

The installation is pretty straight forward and has a very nice gui.

 

I'm just wondering that there are no logs where I can see which traffic was blocked or allowed through the MX.

On other firewalls I can see which rule traffic passes or blocks...

 

Am I missing something here?

0 Kudos
In response to Fabian1
CptnCrnch
Kind of a big deal
‎Nov 11 2021 12:07 AM
‎Nov 11 2021 12:07 AM

I guess you're missing something here. Here's how it should like (see also https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...😞

 

Inbound Flow:

192.168.10.1 1 948077334.886213117 MX60 flows src=39.41.X.X dst=114.18.X.X protocol=udp sport=13943 dport=16329 pattern: 1 all

Outbound Flow:

192.168.10.1 1 948136486.721741837 MX60 flows src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

Summary: 

The inbound flow example shows a blocked UDP flow from 39.41.X.X to the WAN IP of the MX. The outbound flow shows an allowed outbound flow for a DNS request.

How does your Syslog configuration look like?

0 Kudos
In response to CptnCrnch
Fabian1
Getting noticed
‎Nov 11 2021 12:44 AM
‎Nov 11 2021 12:44 AM

Oh Yeah I found some of these, unfortunately just a few

 

<134>1 1636619339.383779076 DE_WASTE_BIO_SCHKO_01_MX001 flows src=10.X.X.X dst=10.X.X.X mac=X:X:X:X protocol=tcp sport=54082 dport=13000 pattern: 0 all

 

But most look like this:

 

<134>1 1636619576.273300189 DE_WASTE_WSM_BERNB_01_MX001 ip_flow_start src=172.X.X.X dst=8.8.8.8 protocol=udp sport=33014 dport=53 translated_src_ip=192.X.X.X translated_port=33014

 

Maybe because most of the logs are stateless and not firewall relevant?  

0 Kudos
In response to Fabian1
Bruce
Kind of a big deal
‎Nov 11 2021 12:47 PM
‎Nov 11 2021 12:47 PM

Do you have logging/syslog enabled for the firewall rules? There is a check box on the firewall rules that needs to be checked to enable Syslog generation by the rule.

In response to Bruce
Fabian1
Getting noticed
‎Nov 11 2021 10:40 PM
‎Nov 11 2021 10:40 PM

Oh my...

Yes, the checkbox was missing. Now I can see the logs of the firewall rules.

 

Thanks a lot!

0 Kudos
Dunky
Head in the Cloud
‎Jun 23 2023 5:16 AM
‎Jun 23 2023 5:16 AM

I use Visual Syslog Server for Windows (maxbelkov.github.io) [which is free] installed on an on-prem PC/server and does not have any bandwidth restrictions.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.