---

@Happiman wrote:

the real IP address that your Syslog server will see is the IP address of Meraki Portal.

 

In my case, 6.78.245.4.

---

Hi @Happiman. That's not true. When you configure Syslog the messages originate from the devices themselves, not from the Meraki cloud.

 

If Meraki ever sent my logging messages, over the Internet, unencrypted (syslog has no encryption) I would be seriously unimpressed.

Hi 🙂
Whether you're impressed or not, please set up your syslog with Roles "Flows" and capture the udp==port 514 from your syslog server. You will see the source IP address. I didn't say that Meraki sends the syslog over the Internet. They just put all the syslog packets under the sourcing IP of the portal.

 

Got it. Since your Meraki and Syslog server are passing packets within the LAN subnets, then the sending interface will be the VLAN interface with the lowest IP address.

 

If your Meraki is at a remote site, syslog traffic will pass through Site-to-Site VPN Interface with either the lowest SVI IP or external IP address.

Added a new Syslog server.

 

 

The destination subnet is exported into AutoVPN by the "far end".

 

 

Nope. Still not no cloud IP as source.

 

Incidentally, it appears that the source is the IP of the highest VLAN ID on the source MX. Not sure if this holds true through multiple tests, but that is what I see in this case.

 

 

@Happiman I appreciate that different people doing things differently get different results, but I've done both tests you claimed support your position, and both supported mine. I'd kindly ask you to provide supporting evidence if you wish to continue making claims that the Cloud IP shows up as the source IP in Syslog messages. 

Anytime I've setup NetFlow to LiveNX it always will use the gateway of the highest subnet.

So if I had these subnets/interfaces on the MX:

192.168.0.1/24
192.168.1.1/24
192.168.2.1/24
192.168.3.1/24
192.168.4.1/24
192.168.5.1/24

It will use 192.168.5.1 instead of 192.168.0.1 for example. Assuming its the same with syslog.

I think it is the "highest VLAN ID", which can communicate through either LAN or Site-to-Site VPN.

OK! So as it turns out, both @Happiman and myself are right here, depending on your config. 

 

I've managed to get these results:

 

 

By configuring my VPN like this:

 

 

As it turns out, if you do not have any LAN interfaces added to VPN then the MX will use the 6. IP it has configured internally. If this is true for MX then I wouldn't be surprised to see it on other Meraki devices, also under specific circumstances. 

 

One use case for the MX like this would be if you only had static routes added to the VPN without any of the local interfaces.

 

So, there we go. 

 

Thanks to Chase with Meraki support for bringing this scenario to my attention. 

---

@Happiman wrote:

the real IP address that your Syslog server will see is the IP address of Meraki Portal.

 

In my case, 6.78.245.4.

---

@Happiman I have it on good authority that this actually is true, under some specific circumstances. I'm not able to confirm right this moment, but I will see if I can recreated it so that we can set the record straight.