Meraki

Community

Syslog nightmare

RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:13 AM
‎Sep 7 2023 6:13 AM

Syslog nightmare

Hi ,

 

We are currently busting our SIEM capacity due to Meraki limitation regarding syslogs. 

 

Eg : We have a client connected to an MR36 AP and the traffic is routed by an MX68. Syslog is enabled for flows,Urls. Logging is enabled on the rule. MX version is 18.107.5

 

Doing a get to www.microsoft365.com will generate :

1 "flows" on the AP and the MX

1 ip_flow_start on the MX ,

1 ip_flow_end on the MX ,

1 'URLS' on the AP 

1 'URLS' on the MX

1 'firewall' on the MX. 

 

7 syslog event for a simple get. Mutiply that for 40K users and we have our nightmare. 

 

 

1- Removing the 'logging' for the web browsing rule will only remove the 'firewall' logs.

2- Removing 'flows' from the syslog configuration will remove ALL ip_flow AND firewall logs

 

Ughhh , I can't seem to be able to find a solution. 

 

Labels:
4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:33 AM
‎Sep 7 2023 6:33 AM

I can only think about a Linux box that receives the flows, filters out everything you don't want, and forwards the rest to the SIEM.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:50 AM
‎Sep 7 2023 6:50 AM

This is not a Meraki native issue, we're seeing this with a lot of customers and their log sources. As @KarstenI mentioned, there are several options from syslog-ng up to expensive commercial offering that are used to "pre-filter" logs going to the SIEM.

In response to CptnCrnch
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:53 AM
‎Sep 7 2023 6:53 AM

I agree. By "Meraki's limitation" I meant to limited segmentation between flows (start/end) and firewall rule logging. 

 

By disabling the flow start/end , that would solve 90% of my issues.

0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Sep 8 2023 3:49 AM
‎Sep 8 2023 3:49 AM

I think you should call your local SE(/TSE), raise the issue, and have them work with their internal team on this.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.