Preferred Syslog Server

SOLVED
Hubble
Getting noticed

Preferred Syslog Server

Hello Experts,

 

Looking to add a syslog server to MX100, any suggestions?I'm new to building a syslog server. Thanks.

 

Hubble

1 ACCEPTED SOLUTION
KRobert
Head in the Cloud

I had to discover a better real-time syslog monitor once we transitioned to Meraki MXs for our Firewalls. I found Syslog Watcher as an option. You can get a 30-day free trial and if needed, support can extend it...and extend it...and extend....I digress.

We ended up purchasing it because it is a pretty powerful real time monitoring tool and it only cost $250 for a year or $450 for 3 years.

It has helped tremendously with real-time traffic viewing from the firewall. If anyone questions whether or not data is getting to, through, or blocked by the firewall, this software can let you know and answer right away. Filtering is pretty simple and you can store logs to go back and query previous logs.

We use Solarwinds Orion for an SNMP server, but for syslog it was missing a lot of the features that Syslog watcher made up in .
CMNO, CCNA R+S

View solution in original post

18 REPLIES 18
NolanHerring
Kind of a big deal

Does it have to be free?
Do you have a budget?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Free trial first will be ideal
BrandonS
Kind of a big deal

I use https://papertrailapp.com/. It has a free tier and kind of goes with the cloud concept of Meraki well.

 

 

- Ex community all-star (⌐⊙_⊙)

@BrandonS I see that PaperTrail has pricing based on storage capacity rather than number of endpoints. Are you able to provide an estimate of storage required per switch. I'm looking at deploying around 70 switches. Thanks.

BrandonS
Kind of a big deal

@SNSGS I don't think I can estimate and I suppose it will depend on each environment and which messages you choose to send, but I do have dozens of devices sending what seems to be a lot of messages for only $10/mo.  You can also filter out messages on the receiving end that will not count toward your quota.

 

Best.

- Ex community all-star (⌐⊙_⊙)
KRobert
Head in the Cloud

I had to discover a better real-time syslog monitor once we transitioned to Meraki MXs for our Firewalls. I found Syslog Watcher as an option. You can get a 30-day free trial and if needed, support can extend it...and extend it...and extend....I digress.

We ended up purchasing it because it is a pretty powerful real time monitoring tool and it only cost $250 for a year or $450 for 3 years.

It has helped tremendously with real-time traffic viewing from the firewall. If anyone questions whether or not data is getting to, through, or blocked by the firewall, this software can let you know and answer right away. Filtering is pretty simple and you can store logs to go back and query previous logs.

We use Solarwinds Orion for an SNMP server, but for syslog it was missing a lot of the features that Syslog watcher made up in .
CMNO, CCNA R+S
Hubble
Getting noticed

Thanks, I’ll try that

PhilipDAth
Kind of a big deal
Kind of a big deal

I like Linux and for be I would be using Ubuntu and its built in syslog service.  This is a complete step by step guide.

https://computingforgeeks.com/how-to-configure-rsyslog-centralized-log-server-on-ubuntu-18-04-lts/ 

Thanks I’ll look into it 

CptnCrnch
Kind of a big deal
Kind of a big deal

Splunk and ELK (Elasticsearch, Logstash, Kibana) even more so are great tools for monitoring and visualizing. The downside is the steeper learning curve, but it's deinitely worth it!

KRobert
Head in the Cloud

Now were looking at SIEMs! SIEMs are exciting and awesome. A whole different league when it comes to reporting. Good idea @CptnCrnch.
CMNO, CCNA R+S

@PhilipDAth  Sorry for asking a rather Linux question than a Meraki one but unable to get any syslog info on the rsyslog server installed on ubunto server. Below are the details of the config file.

 

I am trying to run commands like cat /var/log/messages and tail -f /var/log/messages to get logs from Meraki network.

 

 

# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

 

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

It looks like the filenames might be /var/log/%HOSTNAME%/%PROGRAMNAME%.log.

 

Do a "ls -l /var/log", and look for any extra log files that might reference the host device.

Attached image shows various other files/directories. Name of the server is syslog. Still unable to get any logs out of Meraki.Syslog-Server-Setup.png

 

The question is: are Syslog messages not sent out by MX or not received (or even processed) by your server?

 

You'll find the answer by sniffing the traffic between MX and server.

I actually removed below from the config file and logs are being received fine now. -$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs

TheAlchemist
Getting noticed

I actually removed below from the config file and logs are being received fine now. -$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs

Thanks for coming back and letting everyone know.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels