topic Meraki syslog messages are confusing in Cloud Networking Platform

Meraki syslog messages are confusing

Adrian41 — Wed, 11 Sep 2024 08:38:43 GMT

Hello,

Since meraki logs seem to truncate the useful portion of most messages, I am sending "flows, urls and security events" to a syslog server.

However, "flow" isnt really a helpful category. Apparently some things have been split into more useful labels

but im still seeing thousands of messages marked as "flow" - what does this actually mean?

Another issue I have is finding the content filter logs. Int eh dashboard they are clearly marked as

Filtering

Content filtering blocked URL

and there are lots of logs, but I cant see anything int eh syslog server with "content filter" in the message. How do I find these?

Re: Meraki syslog messages are confusing

ww^ — Wed, 11 Sep 2024 09:32:26 GMT

What mx device and firmware you have?

Do you also have a MR ? Mr should still send flow logging

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples

A flow is basically every new session a client makes

https://community.meraki.com/t5/Wireless/What-Is-Flows/td-p/36277

Re: Meraki syslog messages are confusing

Adrian41 — Wed, 11 Sep 2024 09:51:05 GMT

hello,
we have mostly MX250's on 18.211.2 and MR46's

basically, I want to be able to whatever traffic is being blocked. Id like to know, what did the blocking (was it the content filter or firewall? if its a firewall rule, which rule), also exactly what url / ip /whatever was blocked.

Right now I have lots of logs that say "flows deny" with a src/dst ip, a mac and a protocol. - What is that? Is that a firewall rule? which firewall? which rule?

In my MX firewall rules I have selected certain ones to log to syslog how do i find those in the logs?

how do i see what the content filter is blocking?

thanks!

Re: Meraki syslog messages are confusing

ntuccillo — Wed, 11 Sep 2024 14:13:20 GMT

Adrian,

For the "Flows Deny" that sounds like the ACLs in effect. This includes the switching ACLs and MR ACLs. Meraki will not block any LAN/Outbound connections unless you specifically state to do so. By default, it's in an allow state. However, for the MRs, it will automatically block LAN connections. You'd have to go into Wireless -> Firewall & Traffic Shaping, then check those rules.

For all inbound traffic being blocked, you can view the Security Center in Security & SD-Wan -> Security Center. You can see what is being blocked through the content filter, and what is being blocked in general based on pre-defined rules via Snort. You can also see these logs in Network-Wide -> Event Log.

Hopefully this information helps.

Re: Meraki syslog messages are confusing

Adrian41 — Wed, 11 Sep 2024 14:16:56 GMT

Hi, thanks for the reply - but this is about syslog messages.

If the meraki logs didnt truncate the messages, then there would be no need for the syslog server but since they do, I need to understand what is generating the messages (which firewall, which rule, whats the content filter doing?).

Re: Meraki syslog messages are confusing

ntuccillo — Wed, 11 Sep 2024 14:43:08 GMT

My apologies, I need to read better. For "Flows Deny", I am 99% certain that it's going to be an inbound connection from an external IP. We get tons of them every day. I can't give you any other information on Syslog. We let our SIEM translate it. I'm sorry.