Hi ,
We are currently busting our SIEM capacity due to Meraki limitation regarding syslogs.
Eg : We have a client connected to an MR36 AP and the traffic is routed by an MX68. Syslog is enabled for flows,Urls. Logging is enabled on the rule. MX version is 18.107.5
Doing a get to www.microsoft365.com will generate :
1 "flows" on the AP and the MX
1 ip_flow_start on the MX ,
1 ip_flow_end on the MX ,
1 'URLS' on the AP
1 'URLS' on the MX
1 'firewall' on the MX.
7 syslog event for a simple get. Mutiply that for 40K users and we have our nightmare.
1- Removing the 'logging' for the web browsing rule will only remove the 'firewall' logs.
2- Removing 'flows' from the syslog configuration will remove ALL ip_flow AND firewall logs
Ughhh , I can't seem to be able to find a solution.