Syslog interface

wnburgiss
New here

Syslog interface

I have an MX67 with 3 vlans configured (vlan 1, vlan 10, and vlan 192). I am sending syslogs to an internal server and need to allow the IP of the MX on the syslog server. Which interface will the MX use to send the syslogs to the server?

12 REPLIES 12
jdsilva
Kind of a big deal

It'll use the egress interface that's used to send the traffic.

Happiman
Building a reputation

the real IP address that your Syslog server will see is the IP address of Meraki Portal.

 

In my case, 6.78.245.4.

jdsilva
Kind of a big deal


@Happiman wrote:

the real IP address that your Syslog server will see is the IP address of Meraki Portal.

 

In my case, 6.78.245.4.


Hi @Happiman. That's not true. When you configure Syslog the messages originate from the devices themselves, not from the Meraki cloud.

 

If Meraki ever sent my logging messages, over the Internet, unencrypted (syslog has no encryption) I would be seriously unimpressed.

Happiman
Building a reputation

Hi 🙂
Whether you're impressed or not, please set up your syslog with Roles "Flows" and capture the udp==port 514 from your syslog server. You will see the source IP address. I didn't say that Meraki sends the syslog over the Internet. They just put all the syslog packets under the sourcing IP of the portal.

jdsilva
Kind of a big deal

Happiman
Building a reputation

Got it. Since your Meraki and Syslog server are passing packets within the LAN subnets, then the sending interface will be the VLAN interface with the lowest IP address.

 

If your Meraki is at a remote site, syslog traffic will pass through Site-to-Site VPN Interface with either the lowest SVI IP or external IP address.

jdsilva
Kind of a big deal

image.png

Added a new Syslog server.

 

image.png

 

The destination subnet is exported into AutoVPN by the "far end".

 

image.png

 

Nope. Still not no cloud IP as source.

 

Incidentally, it appears that the source is the IP of the highest VLAN ID on the source MX. Not sure if this holds true through multiple tests, but that is what I see in this case.

 

image.png

 

@Happiman I appreciate that different people doing things differently get different results, but I've done both tests you claimed support your position, and both supported mine. I'd kindly ask you to provide supporting evidence if you wish to continue making claims that the Cloud IP shows up as the source IP in Syslog messages. 

Anytime I've setup NetFlow to LiveNX it always will use the gateway of the highest subnet.

So if I had these subnets/interfaces on the MX:

192.168.0.1/24
192.168.1.1/24
192.168.2.1/24
192.168.3.1/24
192.168.4.1/24
192.168.5.1/24

It will use 192.168.5.1 instead of 192.168.0.1 for example. Assuming its the same with syslog.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Happiman
Building a reputation

I think it is the "highest VLAN ID", which can communicate through either LAN or Site-to-Site VPN.

jdsilva
Kind of a big deal

OK! So as it turns out, both @Happiman and myself are right here, depending on your config. 

 

I've managed to get these results:

 

image.png

 

By configuring my VPN like this:

 

image.png

 

As it turns out, if you do not have any LAN interfaces added to VPN then the MX will use the 6. IP it has configured internally. If this is true for MX then I wouldn't be surprised to see it on other Meraki devices, also under specific circumstances. 

 

One use case for the MX like this would be if you only had static routes added to the VPN without any of the local interfaces.

 

So, there we go. 

 

Thanks to Chase with Meraki support for bringing this scenario to my attention. 

jdsilva
Kind of a big deal


@Happiman wrote:

the real IP address that your Syslog server will see is the IP address of Meraki Portal.

 

In my case, 6.78.245.4.


@Happiman I have it on good authority that this actually is true, under some specific circumstances. I'm not able to confirm right this moment, but I will see if I can recreated it so that we can set the record straight. 

 

 

PhilipDAth
Kind of a big deal

@Happiman you are definately wrong about the source IP address.  @jdsilva is definatently correct.

 

I would tend to trust @jdsilva 's response.  My thoughts are that it would probably use the interface that the MX had a route towards the syslog server (aka, the interface that was "nearest" to the syslog server).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels