Meraki MX250 Log Monitoring

bsantomauro
Comes here often

Meraki MX250 Log Monitoring

Hello everyone,

 

I wanted to ask you all about the log monitoring on the MX appliances. We have MX250's in our network and we are having a real hard time tracking down firewall/filtering situations. For example, we really need to be able to see what rules are triggering for content filtering, app blocking, layer 3 blocking, country blocking, etc. and it just seems near impossible to get this information from the Meraki Cloud Console. Many events also seem to be dropped. The console said this is due to performance limitations on the MX.

 

I was reading through some posts here and on other sites (reddit, etc) that the best way to accomplish this is through Syslog. I tried sending syslogs to Solarwinds and Syslog Watcher but didn't like the interface. It was still difficult to comb through. I think I may have allowed the wrong events though. The even I allowed was URLs which just gave me a list of urls being accessed by different clients but didn't tell me anything about whether they were blocked, by what policy, etc.

 

I was thinking of possibly using something like Graylog but I wanted to reach out to see what others are doing for this. My first question is what roles do you guys use when sending to syslog? I saw netflow there as well? Is that something that would give me what I am looking for? What software do you guys use that you like that gives you a nice ui/interface to comb through these events?

 

Our previous appliance was a Palo Alto which made it easy to kind of track these sort of things down. I know I am not going to be able to get back to that but I am just looking for a way to get me closer as right now every time I have troubleshoot some firewall blocking issue I feel like I am just taking pot shots in the dark trying to do pcaps and such. I appreciate your time and suggestions. Thank you.

5 Replies 5
CptnCrnch
Kind of a big deal
Kind of a big deal

Firewall logging is (currently) not a real deal-breaker for Meraki MX, just as you realized. The new firmware will enable you to have live logging directly integrated into the Dashboard though.

 

As for now, I've see a few possibilities to have a decent firewall event logging in place:

  • syslog-ng (with filters) -> no additional cost but needs to be configured properly
  • Graylog (which makes it easy to get to the results)
  • Splunk (even the free version is suitable for many and has "apps" ready for Meraki devices)
PhilipDAth
Kind of a big deal
Kind of a big deal

This is the info about the new live logging capability in 18.2 and better.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Logging 

bsantomauro
Comes here often

@CptnCrnch @PhilipDAth

 

Thank you for your response. I will looking into some of those syslog options. The live logging feature looks interesting. I am currently running MX 18.107.2. Is there anything special I need to do to install the new firmware? On my appliance status screen it says its up to date. Thanks again for your help.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you go to the firmware upgrades page you can select to upgrade to 18.2.

 

PhilipDAth_0-1703192178851.png

 

cmr
Kind of a big deal
Kind of a big deal

The live logging does work, but when I tested 18.205 it was not usable, I haven't had a chance to test 18.207 yet, but there are a lot of fixes, so it could be good 🤞

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels