syslog capture in Meraki

hmc25000
Getting noticed

syslog capture in Meraki

We have syslog configured in Network Wide > Configure > General > Reporting. We use a custom port and send "Security Events" however the syslog server is not receiving syslog messages on the server. I tried running a capture but do not see any traffic between the MX and the syslog server.

 

What would be the source ip address of Meraki syslog messages? Should I be able to view those messages in wireshark?

7 Replies 7
BlakeRichardson
Kind of a big deal
Kind of a big deal

Check out this page and look at the expected traffic flow section.

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
hmc25000
Getting noticed

Sorry, my message was not clear.  I do not have access to the syslog server, I need to figure out why the syslog server is not receiving the syslog messages. We have syslog configured to send it to a server connected to the inside interface of the MX. I was trying to do a wireshark capture on the lan interface of the MX but don't see any traffic from the inside MX interface to the syslog server. So what would be the source ip address of the syslog messages that are send to the syslog server? 

RaphaelL
Kind of a big deal
Kind of a big deal

Sourced by the highest vlan ID on the MX.

ww
Kind of a big deal
Kind of a big deal

You should be able to see them in the capture .

How many security event do you see in the security center.  Could it be you just not have that many. 

 

hmc25000
Getting noticed

Good point. I am not sure either. I'm having trouble seeing events in the event log. All events say dropped. 

Brash
Kind of a big deal
Kind of a big deal

Take a look at this thread. 

@jdsilva  did a lot of testing and found that the source IP will differ dependant on the scenario.

 

https://community.meraki.com/t5/Security-SD-WAN/Syslog-interface/m-p/52122

hmc25000
Getting noticed

The thing is in my case the syslog server is in a hub site. The MX sending syslogs is routing traffic through another router connected to the LAN interface to the hub site. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels