Meraki

NolanHerring · ‎Mar 18 2019

Anyone know what the logging enabled/disabled per firewall rule actually does? Like what kind of syslog traffic is it sending, is it a crap ton etc.

Nolan Herring | nolanwifi.com

natuan · ‎Mar 19 2019

Hi Nolan,

In my humble opinion, the logging enabled/disabled per firewall rule will choose to collect the log or not for that rule.
Example log:
2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.284212695 <XXXX> flows src=172.17.8.92 dst=125.56.222.10 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63249 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.287318295 <XXXX> flows src=172.17.8.92 dst=125.56.222.8 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63250 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.332721497 <XXXX> urls src=172.17.8.173:52570 dst=118.102.6.42:80 mac=00:22:B0:F3:E9:1C agent='Dalvik/2.1.0 (Linux; U; Android 5.1.1; C6603 Build/10.7.A.0.228)' request: GET http://photo-1-baomoi.zadn.vn/a350_r4x3/2019_03_18_232_30021630/0fdbceae3befd2b18bfe.jpg.webp

If you want to see the log, you should install a syslog server such as KiWi Syslog Server, Splunk
... KiWi is quite simple, just next, next and next. 🙂
Btw, don't forget to config syslog on dashboard meraki.

Regards,
natuan

View solution in original post

natuan · ‎Mar 19 2019

Hi Nolan,

In my humble opinion, the logging enabled/disabled per firewall rule will choose to collect the log or not for that rule.
Example log:
2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.284212695 <XXXX> flows src=172.17.8.92 dst=125.56.222.10 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63249 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.287318295 <XXXX> flows src=172.17.8.92 dst=125.56.222.8 mac=48:5B:39:EF:D7:85 protocol=tcp sport=63250 dport=80 pattern: allow all

2019-03-18 16:33:05 Local0.Info 192.168.0.6 1 1552901590.332721497 <XXXX> urls src=172.17.8.173:52570 dst=118.102.6.42:80 mac=00:22:B0:F3:E9:1C agent='Dalvik/2.1.0 (Linux; U; Android 5.1.1; C6603 Build/10.7.A.0.228)' request: GET http://photo-1-baomoi.zadn.vn/a350_r4x3/2019_03_18_232_30021630/0fdbceae3befd2b18bfe.jpg.webp

If you want to see the log, you should install a syslog server such as KiWi Syslog Server, Splunk
... KiWi is quite simple, just next, next and next. 🙂
Btw, don't forget to config syslog on dashboard meraki.

Regards,
natuan

jbhehoman · ‎Mar 19 2019

Yep. It will log the flows that match each rule to the syslog server you have configured under Network Wide > Configure > General > Logging. If you don't have a syslog server set up, you should probably just set the logging to disabled for each rule.

NolanHerring · ‎Mar 19 2019

Thanks guys. This doesn't really seem like something I want to collect and never look at lol. Also seems like it would be a lot of syslog traffic.

Nolan Herring | nolanwifi.com

BrechtSchamp · ‎Apr 3 2019

@jbhehoman actually, the options disappear if you don't have a syslog server setup. I just noticed that.

Meraki

Community

MX Firewall Rule Logging

MX Firewall Rule Logging