MX Flow Logs

DZA
Conversationalist

MX Flow Logs

Hi,

 

We are exporting MX flow logs to Splunk. Does anyone have anymore detail for the below:

 

- what does the value "374543986.038687615" refer to for the MX flow example in the below link? Is it usable in anyway or is it just an internal reference point. 

 

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Event_Types...

 

- what is the difference between "flows", "ip_flow_start" and "ip_flow_stop" in the flow records.
- is there any possibility or is it planned for upcoming releases to export the sent and received data volumes in flow logs.I saw someone else posted the below. I'll see someone else posted the below.

https://community.meraki.com/t5/Security-SD-WAN/Wish-Include-sent-and-received-data-volumes-in-MX-fl...

 

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

It is the time in Unix epoch format.

DZA
Conversationalist

Thanks, makes sense.
CptnCrnch
Kind of a big deal
Kind of a big deal


- is there any possibility or is it planned for upcoming releases to export the sent and received data volumes in flow logs.I saw someone else posted the below. I'll see someone else posted the below.

https://community.meraki.com/t5/Security-SD-WAN/Wish-Include-sent-and-received-data-volumes-in-MX-fl...


If you're interested in traffic volumes, you could take a closer look at Netflow, not Syslog.

DZA
Conversationalist

Thanks CptnCrnch. I assume that I would then need to tie the fw session & the netflow session to correlate the traffic for that session? All of our traffic will be flowing through a FW which provides us with the data when the flow ends. We are looking into the possibility of dropping the firewall logs for these sessions as we should also get them from the MX. However before doing this we'd want a 1:1 of the information we receive. I know that Splunk has a flow collector and then may tie in easier, but we're currently using a different product for netflow.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels