Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX syslog

Solved
Dunky
A model citizen
‎Aug 3 2023 8:32 AM
‎Aug 3 2023 8:32 AM

MX syslog

Is someone able to tell me exactly how to identify traffic that is hitting specific L3 rules?

Ive defined the local syslog server and added "Security Events" and "Appliance Event Log" to it in Network-wide>General-Reporting

I have ticked the syslog box against the rules I want to see what traffic is matching, yet nothing is getting logged to my syslog server even though the hit counts on those rules is going up.

I am getting other msgs on the syslog server from the MX ok though.

TIA

0 Kudos
Subscribe
1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 4 2023 5:51 AM
‎Aug 4 2023 5:51 AM

So if you configured flows or firewall as a tag in the syslog server configuration on Network wide -> general then you can indeed tick boxes on your L3/4 rules and when they get hit they will log to the syslog in 3 lines.

A flow start log will be made which shows the normal and translated IP addresses (can't be filtered)

A flow or firewall log that actually shows a logic match at the end so you'll have to think what ports and protocols you are matching in that rule to recognize the matched rule.

examples:

protocol=tcp sport=43958 dport=443 pattern: allow all

protocol=udp sport=54366 dport=53 pattern: Group Policy Allow

I don't have access to our logging server to show better examples right now.

 

A flow end log after the connection is terminated with also the NAT information like the flow start.

We log several firewalls like this and haven't had any issues with that.

View solution in original post

Subscribe
12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 3 2023 8:55 AM
‎Aug 3 2023 8:55 AM

Probably Your syslog server is misconfigured.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Dunky
A model citizen
‎Aug 3 2023 9:02 AM
‎Aug 3 2023 9:02 AM

Nope, its not filtering anything, displays all the other events, just nothing from the L3 rules where I ticked the syslog box

0 Kudos
Subscribe
In response to Dunky
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 3 2023 9:12 AM
‎Aug 3 2023 9:12 AM

Check the documentation. It's very simple to configure.

 

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Repor...

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
‎Aug 3 2023 9:09 AM
‎Aug 3 2023 9:09 AM

You need to send "flows" to syslog

 

And you need to select the syslog checkbox behind the firewall rule

Subscribe
In response to ww
Dunky
A model citizen
‎Aug 3 2023 9:12 AM
‎Aug 3 2023 9:12 AM

That then sends absolutely everything, not just the rules where I tick the syslog box - I only want to see what is hitting the rules I have ticked the syslog box on.

0 Kudos
Subscribe
In response to Dunky
ww
Kind of a big deal
Kind of a big deal
‎Aug 3 2023 9:13 AM
‎Aug 3 2023 9:13 AM

Thats not possible.

You get the flow and hits. Or nothing

 

You would need to filter on the syslog server itself

Subscribe
In response to ww
Dunky
A model citizen
‎Aug 3 2023 9:34 AM
‎Aug 3 2023 9:34 AM

I get the flows but I dont see any hits arriving on the syslog server for the rules I have ticked.

Unless there are just so many i cant see them, Is there anything specific you are aware of in the text that I can filter by?

0 Kudos
Subscribe
In response to Dunky
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 3 2023 9:35 AM
‎Aug 3 2023 9:35 AM

Which syslog server are you using?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Dunky
A model citizen
‎Aug 3 2023 9:39 AM
‎Aug 3 2023 9:39 AM

visual syslog

0 Kudos
Subscribe
In response to Dunky
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 3 2023 9:45 AM
‎Aug 3 2023 9:45 AM

Maybe it will help you.

 

 

https://youtu.be/3wdYaI2D4Ow?t=159

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 4 2023 5:51 AM
‎Aug 4 2023 5:51 AM

So if you configured flows or firewall as a tag in the syslog server configuration on Network wide -> general then you can indeed tick boxes on your L3/4 rules and when they get hit they will log to the syslog in 3 lines.

A flow start log will be made which shows the normal and translated IP addresses (can't be filtered)

A flow or firewall log that actually shows a logic match at the end so you'll have to think what ports and protocols you are matching in that rule to recognize the matched rule.

examples:

protocol=tcp sport=43958 dport=443 pattern: allow all

protocol=udp sport=54366 dport=53 pattern: Group Policy Allow

I don't have access to our logging server to show better examples right now.

 

A flow end log after the connection is terminated with also the NAT information like the flow start.

We log several firewalls like this and haven't had any issues with that.

Subscribe
In response to GIdenJoe
Dunky
A model citizen
‎Aug 4 2023 7:42 AM
‎Aug 4 2023 7:42 AM

Thats great, many thanks.

It sends every flow to the syslog server rather than just the ones Ive ticked the syslog box for though, but not an issue (other than generating unnecessary traffic), I've just filtered on the syslog server to show those where message contains "deny"

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.