Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Syslog nightmare

RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:13 AM
‎Sep 7 2023 6:13 AM

Syslog nightmare

Hi ,

 

We are currently busting our SIEM capacity due to Meraki limitation regarding syslogs. 

 

Eg : We have a client connected to an MR36 AP and the traffic is routed by an MX68. Syslog is enabled for flows,Urls. Logging is enabled on the rule. MX version is 18.107.5

 

Doing a get to www.microsoft365.com will generate :

1 "flows" on the AP and the MX

1 ip_flow_start on the MX ,

1 ip_flow_end on the MX ,

1 'URLS' on the AP 

1 'URLS' on the MX

1 'firewall' on the MX. 

 

7 syslog event for a simple get. Mutiply that for 40K users and we have our nightmare. 

 

 

1- Removing the 'logging' for the web browsing rule will only remove the 'firewall' logs.

2- Removing 'flows' from the syslog configuration will remove ALL ip_flow AND firewall logs

 

Ughhh , I can't seem to be able to find a solution. 

 

Labels:
Subscribe
4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:33 AM
‎Sep 7 2023 6:33 AM

I can only think about a Linux box that receives the flows, filters out everything you don't want, and forwards the rest to the SIEM.

Subscribe
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:50 AM
‎Sep 7 2023 6:50 AM

This is not a Meraki native issue, we're seeing this with a lot of customers and their log sources. As @KarstenI mentioned, there are several options from syslog-ng up to expensive commercial offering that are used to "pre-filter" logs going to the SIEM.

Subscribe
In response to CptnCrnch
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 7 2023 6:53 AM
‎Sep 7 2023 6:53 AM

I agree. By "Meraki's limitation" I meant to limited segmentation between flows (start/end) and firewall rule logging. 

 

By disabling the flow start/end , that would solve 90% of my issues.

0 Kudos
Subscribe
rhbirkelund
Kind of a big deal
‎Sep 8 2023 3:49 AM
‎Sep 8 2023 3:49 AM

I think you should call your local SE(/TSE), raise the issue, and have them work with their internal team on this.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.