[Question] Syslog - Sending syslog data from multiple MXs over site-to-site VPN

Getting noticed

[Question] Syslog - Sending syslog data from multiple MXs over site-to-site VPN

Hi all,

I recently posted about setting up the syslog server and sending logs from my Meraki devices but I've come across another issue. I'm able to get log information from my VMX100 just fine. However, when I try to add multiple sources (we have 5 offices that I need to be able to send syslog data from), the syslog server doesn't appear to be handling them correctly, or at all. As soon as I add a second network source, the original source will stop writing. For example:


1. VMX100 is configured and currently writing to the syslog server

2. Configure Network 1 to write the same syslog server

3. Network 1 begins writing to the syslog server and the expected destination file but now, the VMX100 stops writing to its log file.


I initially thought it was an issue when adding all of my networks in but I tried adding it in one by one and experienced the same behavior.


Also, has anyone seen any issues where a Meraki device doesn't generate any syslog data at all? I tried a packet capture and couldn't see anything on one of my MX64Ws despite enabling the syslog feature.

3 Replies 3
Kind of a big deal
Kind of a big deal

@e39_540i some syslog servers use a unique source IP per source and some use a unique port per source, which server are you running and how have you set up the separate sources in the server?

Getting noticed

Hi @cmr,


Its an Amazon Linux 2 AMI (AWS) and I'm running syslog-ng as I found recommended by various sources. I set up the sources as separate "lines" for each office so something like:







and so on, trying to stay close to the Meraki documentation shown below


#define syslog source
source s_net { udp(ip( port(514)); };

#create individual filters to match each of the role categories
filter f_meraki_urls { host( "" ) and match("urls" value ("MESSAGE")); };
filter f_meraki_events { host( "" ) and match("events" value ("MESSAGE")); };
filter f_meraki_ids-alerts { host( "" ) and match("ids_alerted" value ("MESSAGE")); };
filter f_meraki_flows { host( "" ) and match("flows" value ("MESSAGE")); };

#define individual destinations for each of the role categories
destination df_meraki_urls { file("/var/log/meraki_urls.log"); };
destination df_meraki_events { file("/var/log/meraki_events.log"); };
destination df_meraki_ids-alerts { file("/var/log/meraki_ids-alerts.log"); };
destination df_meraki_flows { file("/var/log/meraki_flows.log"); };

#bundle the source, filter, and destination rules together with a logging rule for each role category
log { source ( s_net ); filter( f_meraki_urls ); destination ( df_meraki_urls ); };
log { source ( s_net ); filter( f_meraki_events ); destination ( df_meraki_events ); };
log { source ( s_net ); filter( f_meraki_ids-alerts ); destination ( df_meraki_ids-alerts ); };
log { source ( s_net ); filter( f_meraki_flows ); destination ( df_meraki_flows ); };


Just following up to provide some snippets of my actual config file, here's how I have it configured (generalized for privacy). Also, if there's any way to clean this all up, any input is much appreciated. I am a novice with Linux and even more-so with syslog-ng.



#define syslog source -- a.b.c.d in this section referring to the syslog server.
#source s_net { udp(ip( port(514)); };
#source s_net { tcp(ip( port(514) max-connections (5000)); udp(); };

source s_net { udp(ip(a.b.c.d) port(514)); };

source s_meraki_flfw { udp(ip(a.b.c.d) port (514)); };
source s_meraki_cafw { udp(ip(a.b.c.d) port (514)); };
source s_meraki_cofw { udp(ip(a.b.c.d) port (514)); };
source s_meraki_gafw { udp(ip(a.b.c.d) port (514)); };
source s_meraki_mnfw { udp(ip(a.b.c.d) port (514)); };



filter f_meraki_vmx100_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); };
filter f_meraki_vmx100_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); };
filter f_meraki_flfw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); };
filter f_meraki_flfw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); };
filter f_meraki_cafw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); };
filter f_meraki_cafw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); };

filter f_meraki_cofw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); };
filter f_meraki_cofw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); };

filter f_meraki_gafw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); };
filter f_meraki_gafw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); };

filter f_meraki_mnfw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); };
filter f_meraki_mnfw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); };


#destination files

destination df_meraki_vmx100_urls { file("/var/log/meraki_urls.log"); };

destination df_meraki_vmx100_flows { file("/var/log/meraki_flows.log"); };

destination meraki_flfw_flows {file("/var/log/firewalls/meraki/flfw/mx_flows.log"); };
destination meraki_flfw_urls {file("/var/log/firewalls/meraki/flfw/mx_urls.log"); };
destination meraki_cafw_flows {file("/var/log/firewalls/meraki/cafw/mx_flows.log"); };
destination meraki_cafw_urls {file("/var/log/firewalls/meraki/cafw/mx_urls.log"); };
destination meraki_cofw_flows {file("/var/log/firewalls/meraki/cofw/mx_flows.log"); };
destination meraki_cofw_urls {file("/var/log/firewalls/meraki/cofw/mx_urls.log"); };
destination meraki_gafw_flows {file("/var/log/firewalls/meraki/gafw/mx_flows.log"); };
destination meraki_gafw_urls {file("/var/log/firewalls/meraki/gafw/mx_urls.log"); };
destination meraki_mnfw_flows {file("/var/log/firewalls/meraki/mnfw/mx_flows.log"); };
destination meraki_mnfw_urls {file("/var/log/firewalls/meraki/mnfw/mx_urls.log"); };


#bundle source, filter & destination rules

log { source ( s_net ); filter( f_meraki_vmx100_urls ); destination ( df_meraki_vmx100_urls ); };

log { source ( s_net ); filter( f_meraki_vmx100_flows ); destination ( df_meraki_vmx100_flows ); };

log { source ( s_meraki_flfw); filter( f_meraki_flfw_flows); destination ( meraki_flfw_flows ); };
log { source ( s_meraki_flfw); filter( f_meraki_flfw_urls); destination ( meraki_flfw_urls ); };

log { source ( s_meraki_cafw); filter( f_meraki_cafw_flows); destination ( meraki_cafw_flows ); };
log { source ( s_meraki_cafw); filter( f_meraki_cafw_urls); destination ( meraki_cafw_urls ); };
log { source ( s_meraki_cofw); filter( f_meraki_cofw_flows); destination ( meraki_cofw_flows ); };
log { source ( s_meraki_cofw); filter( f_meraki_cofw_urls); destination ( meraki_cofw_urls ); };
log { source ( s_meraki_gafw); filter( f_meraki_gafw_flows); destination ( meraki_gafw_flows ); };
log { source ( s_meraki_gafw); filter( f_meraki_gafw_urls); destination ( meraki_gafw_urls ); };
log { source ( s_meraki_mnfw); filter( f_meraki_mnfw_flows); destination ( meraki_mnfw_flows ); };
log { source ( s_meraki_mnfw); filter( f_meraki_mnfw_urls); destination ( meraki_mnfw_urls ); };

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.