MX Firewall Rule Logging

SOLVED
NolanHerring
Kind of a big deal

MX Firewall Rule Logging

Anyone know what the logging enabled/disabled per firewall rule actually does? Like what kind of syslog traffic is it sending, is it a crap ton etc.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
1 ACCEPTED SOLUTION
natuan
Here to help

Hi Nolan,

In my humble opinion, the logging enabled/disabled per firewall rule will choose to collect the log or not for that rule.
Example log:
2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.284212695 <XXXX> flows src=172.17.8.92 dst=125.56.222.10 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63249 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.287318295 <XXXX> flows src=172.17.8.92 dst=125.56.222.8 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63250 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.332721497 <XXXX> urls src=172.17.8.173:52570 dst=118.102.6.42:80 mac=00:22:B0:F3:E9:1C agent='Dalvik/2.1.0 (Linux; U; Android 5.1.1; C6603 Build/10.7.A.0.228)' request: GET http://photo-1-baomoi.zadn.vn/a350_r4x3/2019_03_18_232_30021630/0fdbceae3befd2b18bfe.jpg.webp

If you want to see the log, you should install a syslog server such as KiWi Syslog Server, Splunk
... KiWi is quite simple, just next, next and next. 🙂
Btw, don't forget to config syslog on dashboard meraki.

Regards,
natuan

View solution in original post

4 REPLIES 4
natuan
Here to help

Hi Nolan,

In my humble opinion, the logging enabled/disabled per firewall rule will choose to collect the log or not for that rule.
Example log:
2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.284212695 <XXXX> flows src=172.17.8.92 dst=125.56.222.10 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63249 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.287318295 <XXXX> flows src=172.17.8.92 dst=125.56.222.8 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63250 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.332721497 <XXXX> urls src=172.17.8.173:52570 dst=118.102.6.42:80 mac=00:22:B0:F3:E9:1C agent='Dalvik/2.1.0 (Linux; U; Android 5.1.1; C6603 Build/10.7.A.0.228)' request: GET http://photo-1-baomoi.zadn.vn/a350_r4x3/2019_03_18_232_30021630/0fdbceae3befd2b18bfe.jpg.webp

If you want to see the log, you should install a syslog server such as KiWi Syslog Server, Splunk
... KiWi is quite simple, just next, next and next. 🙂
Btw, don't forget to config syslog on dashboard meraki.

Regards,
natuan

Yep. It will log the flows that match each rule to the syslog server you have configured under Network Wide > Configure > General > Logging. If you don't have a syslog server set up, you should probably just set the logging to disabled for each rule. 

Thanks guys. This doesn't really seem like something I want to collect and never look at lol. Also seems like it would be a lot of syslog traffic.
Nolan Herring | nolanwifi.com
TwitterLinkedIn

@jbhehoman actually, the options disappear if you don't have a syslog server setup. I just noticed that.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels