Meraki

Community

syslog capture in Meraki

hmc25000
Getting noticed
‎Feb 6 2024 12:03 PM
‎Feb 6 2024 12:03 PM

syslog capture in Meraki

We have syslog configured in Network Wide > Configure > General > Reporting. We use a custom port and send "Security Events" however the syslog server is not receiving syslog messages on the server. I tried running a capture but do not see any traffic between the MX and the syslog server.

 

What would be the source ip address of Meraki syslog messages? Should I be able to view those messages in wireshark?

Labels:
0 Kudos
7 Replies 7
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Feb 6 2024 12:09 PM
‎Feb 6 2024 12:09 PM

Check out this page and look at the expected traffic flow section.

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
hmc25000
Getting noticed
‎Feb 6 2024 12:16 PM
‎Feb 6 2024 12:16 PM

Sorry, my message was not clear.  I do not have access to the syslog server, I need to figure out why the syslog server is not receiving the syslog messages. We have syslog configured to send it to a server connected to the inside interface of the MX. I was trying to do a wireshark capture on the lan interface of the MX but don't see any traffic from the inside MX interface to the syslog server. So what would be the source ip address of the syslog messages that are send to the syslog server? 

0 Kudos
In response to hmc25000
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 6 2024 12:26 PM
‎Feb 6 2024 12:26 PM

Sourced by the highest vlan ID on the MX.

0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Feb 6 2024 12:29 PM
‎Feb 6 2024 12:29 PM

You should be able to see them in the capture .

How many security event do you see in the security center.  Could it be you just not have that many. 

 

0 Kudos
In response to ww
hmc25000
Getting noticed
‎Feb 6 2024 12:38 PM
‎Feb 6 2024 12:38 PM

Good point. I am not sure either. I'm having trouble seeing events in the event log. All events say dropped. 

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Feb 6 2024 12:33 PM
‎Feb 6 2024 12:33 PM

Take a look at this thread. 

@jdsilva  did a lot of testing and found that the source IP will differ dependant on the scenario.

 

https://community.meraki.com/t5/Security-SD-WAN/Syslog-interface/m-p/52122

0 Kudos
hmc25000
Getting noticed
‎Feb 6 2024 12:48 PM
‎Feb 6 2024 12:48 PM

The thing is in my case the syslog server is in a hub site. The MX sending syslogs is routing traffic through another router connected to the LAN interface to the hub site. 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.