We use a third-party tool that uploads L3 rules via API every 5 minutes. These uploads are clogging up the changelogs. Out of the 5000 that are retained, this is taking up about 4500-4900 at any given time. The log comment notes the service that it comes from (first blurred field). We are unable to reduce the rate at which these rules are uploaded. Rather than omit ANY logs from the API, is it possible to omit (or otherwise store elsewhere for auditing) the logs from this specific service via CLI/API? Or like there is the "syslogEnabled=false" tag in the PUT request to keep them out of syslog, is there another tag the service can append to omit these rules from the changelogs? Desirable solutions: 1. Omit logs from this service completely 2. Omit logs from changes made by a designated user (specific to this service) 3. Divert logs from this service to another location 4. Increase changelog retention parameters
... View more
We have a SIEM tool that consumes syslog from an MX appliance to aggregate/analyze traffic and track connections between internal assets and external malicious actors. We are currently able to parse syslog messages from an MX appliance to determine: 1. the external IP/domain connected with 2. the internal IP(s), ports interacted with 3. traffic type and encryption status 4. whether the connection initiated internally or externally It is also of vital importance to determine the volume of data transferred both in and out of a network over the connection between the source and destination. Currently, the MX flow logs do not support this. I know many other firewalls include this in their flow log equivalents, and I know there are ways to view and export this info from the MX dashboard. However, we need a passive, automated way to consume this data without implementing manual workarounds. We would like to see Meraki include this in its flow logs as it is obviously helpful in narrowing down problem points. Said another way, the current syslog messages resemble the following: <134>1 1536610215.9836262378 XXX_XXX_X0X0 flows allow src=10.10.12.10 dst=184.108.40.206 mac=C7:E4:B3:E2:51:28 protocol=udp sport=51185 dport=1900 and we would want them to include something similar to the fields at the end of the message: <134>1 1536610215.9836262378 XXX_XXX_X0X0 flows allow src=10.10.12.10 dst=220.127.116.11 mac=C7:E4:B3:E2:51:28 protocol=udp sport=51185 dport=1900 duration="30" sent_bytes="84" rcvd_bytes="84"
... View more