Syslog messages don't appear in file

Safwane
Here to help

Syslog messages don't appear in file

Hello,

 

  We have 4 access point to deliver Wifi Public. We have to keep 1 year of logs.

 

I configured a syslog server on Ubuntu. I followed the technical documentation on Cisco Meraki :

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

My 514 port is open on my server.

But still don't have the log on my file that i have defined in syslog-ng.conf

 

If someone has an idea et can help me

 

Thanks

syslog_meraki.PNGsyslog-ng.PNGmeraki-log.PNG

 

iptables-syslog.PNG

 

 

8 Replies 8
MilesMeraki
Head in the Cloud

I can't see anything out of the ordinary from your configuration, this all appears to look fine. I assume you've applied the syslog server settings to the correct network which the AP's are in? I assume they're Management IP's are the ones you've got listed in the .Conf file?

 

Have you tried taking a packet capture from the switch interface that the Syslog server is connected to? This will allow you to see if syslog messages are even hitting the server.

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Safwane
Here to help

Hi WANKiller,

 

 Thanks for your feedback.

 

Effectively, the syslog server is on the same network wich the AP are.

 

 To separate the wifi public from our lan, i created a vlan without IP address for the wifipublic on our catalyst 4500.

 

 We dedicate an ethernet port on our firewall (fortinet) (attachement1) and give to this physical interface an IP (IP who is the gateway of our meraki AP) like a wire mode

attachement1.PNG

 

I edited --> DHCP, DNS for the AP (attachement 2)

attachement2.PNG

 

 

On my meraki dashboard i can see that my AP recover well An IP (ex : attachement3)  and my ipV4 policy is ok (attachement 4)attachement3.PNGattachement4.PNG

 

I checked on our analyzer the traffic, we see traffic (DNS,NTP) from the syslog, AP  but not for the logs on port 514 (attachement5,6)

attachement6.PNGattachement5.PNG

Thanks for your help

PhilipDAth
Kind of a big deal
Kind of a big deal

Have you configured the dashboard?  Refer to the section "Configure Dashboard" in this document:

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

 

22221.png

MilesMeraki
Head in the Cloud

Ok, so looking at your Configuration you have a VLAN terminating (Default gateway) which is on the fortinet. 192.168.20.254/24. The AP's and Syslog are all in this VLAN -

 

AP's

192.168.20.1/24

192.168.20.2/24

192.168.20.3/24

192.168.20.4/24

 

Syslog

192.168.20.253/24

 

If this is the case, what mode are you using for the Guest SSID? I assume with this arrangement you'll be using Mearki NAT mode? As this would be the only way you provide true segregation for Guest traffic as per your proposed design?

 

What is the firewall rule policy on your Fortinet and what does that refer too? (Attachment 4) you've uploaded?

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Safwane
Here to help

Hello WANKiller,

 

  Back after the week-end. Thanks for your return.

 

  Yes i'm using Meraki Nat  mode. By this way,  we separate the public wifi network from our lan.

 

  On the fortinet, the policy rule consists of allow the traffic from WIfi-Public interface (source network Meraki) to all destination and all services. We apply some security profiles :

 - Antivirus

 - Webfilter

 - DNS Filter

 - Application control

 - IPS

 - ANTI-SPAM

 - DLP Sensor

 - Web Application Firewal

 - Proxy Options

 - SSL/SSH inspection

What is strange is that if the firewall prevented flows to the syslog on port 514, I should see them.

 

Safwane
Here to help

Hello PhilipDath,

 

  Yes i have configured the dashboard with the syslog ip server on port 514

PhilipDAth
Kind of a big deal
Kind of a big deal

The access points and the syslog server are in the same subnet - so you wont see that traffic going through the firewall.

Safwane
Here to help

On the web page Syslog Server Overview and Configuration, in the exemple the devices are on the same subnet

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...)

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels