Meraki

Community

Syslog messages don't appear in file

Safwane
Here to help
‎Oct 13 2017 3:00 AM
‎Oct 13 2017 3:00 AM

Syslog messages don't appear in file

Hello,

 

  We have 4 access point to deliver Wifi Public. We have to keep 1 year of logs.

 

I configured a syslog server on Ubuntu. I followed the technical documentation on Cisco Meraki :

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

My 514 port is open on my server.

But still don't have the log on my file that i have defined in syslog-ng.conf

 

If someone has an idea et can help me

 

Thanks

syslog_meraki.PNGsyslog-ng.PNGmeraki-log.PNG

 

iptables-syslog.PNG

 

 

0 Kudos
8 Replies 8
MilesMeraki
Head in the Cloud
‎Oct 13 2017 3:51 AM
‎Oct 13 2017 3:51 AM

I can't see anything out of the ordinary from your configuration, this all appears to look fine. I assume you've applied the syslog server settings to the correct network which the AP's are in? I assume they're Management IP's are the ones you've got listed in the .Conf file?

 

Have you tried taking a packet capture from the switch interface that the Syslog server is connected to? This will allow you to see if syslog messages are even hitting the server.

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to MilesMeraki
Safwane
Here to help
‎Oct 13 2017 6:52 AM
‎Oct 13 2017 6:52 AM

Hi WANKiller,

 

 Thanks for your feedback.

 

Effectively, the syslog server is on the same network wich the AP are.

 

 To separate the wifi public from our lan, i created a vlan without IP address for the wifipublic on our catalyst 4500.

 

 We dedicate an ethernet port on our firewall (fortinet) (attachement1) and give to this physical interface an IP (IP who is the gateway of our meraki AP) like a wire mode

attachement1.PNG

 

I edited --> DHCP, DNS for the AP (attachement 2)

attachement2.PNG

 

 

On my meraki dashboard i can see that my AP recover well An IP (ex : attachement3)  and my ipV4 policy is ok (attachement 4)attachement3.PNGattachement4.PNG

 

I checked on our analyzer the traffic, we see traffic (DNS,NTP) from the syslog, AP  but not for the logs on port 514 (attachement5,6)

attachement6.PNGattachement5.PNG

Thanks for your help

0 Kudos
In response to Safwane
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 13 2017 11:54 AM
‎Oct 13 2017 11:54 AM

Have you configured the dashboard?  Refer to the section "Configure Dashboard" in this document:

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

 

22221.png

0 Kudos
In response to PhilipDAth
MilesMeraki
Head in the Cloud
‎Oct 13 2017 2:39 PM
‎Oct 13 2017 2:39 PM

Ok, so looking at your Configuration you have a VLAN terminating (Default gateway) which is on the fortinet. 192.168.20.254/24. The AP's and Syslog are all in this VLAN -

 

AP's

192.168.20.1/24

192.168.20.2/24

192.168.20.3/24

192.168.20.4/24

 

Syslog

192.168.20.253/24

 

If this is the case, what mode are you using for the Guest SSID? I assume with this arrangement you'll be using Mearki NAT mode? As this would be the only way you provide true segregation for Guest traffic as per your proposed design?

 

What is the firewall rule policy on your Fortinet and what does that refer too? (Attachment 4) you've uploaded?

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to MilesMeraki
Safwane
Here to help
‎Oct 16 2017 12:37 AM
‎Oct 16 2017 12:37 AM

Hello WANKiller,

 

  Back after the week-end. Thanks for your return.

 

  Yes i'm using Meraki Nat  mode. By this way,  we separate the public wifi network from our lan.

 

  On the fortinet, the policy rule consists of allow the traffic from WIfi-Public interface (source network Meraki) to all destination and all services. We apply some security profiles :

 - Antivirus

 - Webfilter

 - DNS Filter

 - Application control

 - IPS

 - ANTI-SPAM

 - DLP Sensor

 - Web Application Firewal

 - Proxy Options

 - SSL/SSH inspection

What is strange is that if the firewall prevented flows to the syslog on port 514, I should see them.

 

0 Kudos
In response to PhilipDAth
Safwane
Here to help
‎Oct 16 2017 12:40 AM
‎Oct 16 2017 12:40 AM

Hello PhilipDath,

 

  Yes i have configured the dashboard with the syslog ip server on port 514

0 Kudos
In response to Safwane
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 16 2017 11:47 AM
‎Oct 16 2017 11:47 AM

The access points and the syslog server are in the same subnet - so you wont see that traffic going through the firewall.

0 Kudos
In response to PhilipDAth
Safwane
Here to help
‎Oct 17 2017 4:56 AM
‎Oct 17 2017 4:56 AM

On the web page Syslog Server Overview and Configuration, in the exemple the devices are on the same subnet

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...)

 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.