Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Syslog Flows - Took out all the bandwitdh

YoinkZ
Getting noticed
8 hours ago
8 hours ago

MX Syslog Flows - Took out all the bandwitdh

Hi,

I have a quick question regarding Syslog behavior, particularly with L3 rules and Site-to-Site VPN.

 

We've set up our Syslog server with Flows configured, and everything has been running smoothly.

 

However, after integrating a SIEM/SOC solution that needs to receive logs, I enabled Syslog with Flows. This caused instability and significant packet loss to the branch (MX95) where Syslog was enabled. When I disabled Flows, connectivity returned to normal.

I suspect there may be too much traffic over the VPN tunnel, but I’d like to clarify what the Syslog option on a rule actually does. Even when I uncheck it, I still see a lot of logs on my Syslog server when doing a "trail". Will I still receive all logs if this option is unchecked, or what is its specific purpose?

 

I’ve read the documentation but still find it confusing. Could someone explain it in simpler terms?

 

Thanks!

Labels:
0 Kudos
5 Replies 5
RaphaelL
Kind of a big deal
Kind of a big deal
8 hours ago
8 hours ago

Hi ,

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

 

When you configure a L3 firewall rule and check "syslog" it will send a "firewall" syslog. However , it should still send the other syslog message such as ip_flow_start and ip_flow_stop ( end ? ).  

 

You could take a packet capture on your spoke site-to-site VPN interface and see what it is being sent.

In response to RaphaelL
YoinkZ
Getting noticed
6 hours ago
6 hours ago

I just tried to remove "Flows" under General and even though I still have some L3 rules with syslog enabled, then I do not see anything other than "urls" in the trail log now. I have to enable "Flows" to see ip_flow, vpn_firewall and firewall entries.

 

In General:


ip_flow traffic handled "locally" in the MX L3 Firewall?

firewall traffic handled "locally" in the MX L3 Firewall?

vpn_firewall traffic sent over VPN Tunnel?

0 Kudos
In response to YoinkZ
RaphaelL
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:  

948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

 

 

Flows = firewall , vpn_firewall , cellular_firewall , bridge_anyconnect_client_vpn_firewall

In response to RaphaelL
YoinkZ
Getting noticed
5 hours ago
5 hours ago

Oh okay good to know. I still see both ip_flow and firewall.

 

I tried to fiddle a bit more and here are my findings:

  • When I disable Flows, then I do not see any syslog from my L3, S2S or even ip_flows.
  • When I enable Flows I see ip_flows and vpn_firewall.

  • Finally when I enable both Flows and syslog on L3 Firewall, then I see firewall, ip_flows and vpn_firewall

 

So here is my conclusion;
When using both Flows and syslog under L3, then I get more details whenever a rule is hit compared to only running with Flows enabled. But basically I see double information with ip_flow and firewall entry.

 

When it comes to Syslog on S2S, then I see that when I am only running with Flows enabled, then I do not see any 'deny', but only traffic that is permitted. If I enable Syslog then I start to see 'deny' if they hit the rule.

 

Thank you Raph!

 

In response to YoinkZ
RaphaelL
Kind of a big deal
Kind of a big deal
4 hours ago
4 hours ago

Your conclusion is correct ! 

 

My pleasure !

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.