Meraki

YoinkZ

Hi,

I have a quick question regarding Syslog behavior, particularly with L3 rules and Site-to-Site VPN.

We've set up our Syslog server with Flows configured, and everything has been running smoothly.

However, after integrating a SIEM/SOC solution that needs to receive logs, I enabled Syslog with Flows. This caused instability and significant packet loss to the branch (MX95) where Syslog was enabled. When I disabled Flows, connectivity returned to normal.

I suspect there may be too much traffic over the VPN tunnel, but I’d like to clarify what the Syslog option on a rule actually does. Even when I uncheck it, I still see a lot of logs on my Syslog server when doing a "trail". Will I still receive all logs if this option is unchecked, or what is its specific purpose?

I’ve read the documentation but still find it confusing. Could someone explain it in simpler terms?

Thanks!

RaphaelL

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:

948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

Flows = firewall , vpn_firewall , cellular_firewall , bridge_anyconnect_client_vpn_firewall

View solution in original post

RaphaelL

Hi ,

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

When you configure a L3 firewall rule and check "syslog" it will send a "firewall" syslog. However , it should still send the other syslog message such as ip_flow_start and ip_flow_stop ( end ? ).

You could take a packet capture on your spoke site-to-site VPN interface and see what it is being sent.

YoinkZ

I just tried to remove "Flows" under General and even though I still have some L3 rules with syslog enabled, then I do not see anything other than "urls" in the trail log now. I have to enable "Flows" to see ip_flow, vpn_firewall and firewall entries.

In General:

ip_flow traffic handled "locally" in the MX L3 Firewall?

firewall traffic handled "locally" in the MX L3 Firewall?

vpn_firewall traffic sent over VPN Tunnel?

RaphaelL

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:

948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

Flows = firewall , vpn_firewall , cellular_firewall , bridge_anyconnect_client_vpn_firewall

YoinkZ

Oh okay good to know. I still see both ip_flow and firewall.

I tried to fiddle a bit more and here are my findings:

When I disable Flows, then I do not see any syslog from my L3, S2S or even ip_flows.
When I enable Flows I see ip_flows and vpn_firewall.
Finally when I enable both Flows and syslog on L3 Firewall, then I see firewall, ip_flows and vpn_firewall

So here is my conclusion;
When using both Flows and syslog under L3, then I get more details whenever a rule is hit compared to only running with Flows enabled. But basically I see double information with ip_flow and firewall entry.

When it comes to Syslog on S2S, then I see that when I am only running with Flows enabled, then I do not see any 'deny', but only traffic that is permitted. If I enable Syslog then I start to see 'deny' if they hit the rule.

Thank you Raph!

RaphaelL

Your conclusion is correct !

My pleasure !

Meraki

Community

MX Syslog Flows - Took out all the bandwitdh

MX Syslog Flows - Took out all the bandwitdh