Solved: Re: MX syslog

dunky · ‎08-03-2023

Is someone able to tell me exactly how to identify traffic that is hitting specific L3 rules?

Ive defined the local syslog server and added "Security Events" and "Appliance Event Log" to it in Network-wide>General-Reporting

I have ticked the syslog box against the rules I want to see what traffic is matching, yet nothing is getting logged to my syslog server even though the hit counts on those rules is going up.

I am getting other msgs on the syslog server from the MX ok though.

TIA

joey.debra · ‎08-04-2023

So if you configured flows or firewall as a tag in the syslog server configuration on Network wide -> general then you can indeed tick boxes on your L3/4 rules and when they get hit they will log to the syslog in 3 lines.

A flow start log will be made which shows the normal and translated IP addresses (can't be filtered)

A flow or firewall log that actually shows a logic match at the end so you'll have to think what ports and protocols you are matching in that rule to recognize the matched rule.

examples:

protocol=tcp sport=43958 dport=443 pattern: allow all

protocol=udp sport=54366 dport=53 pattern: Group Policy Allow

I don't have access to our logging server to show better examples right now.

A flow end log after the connection is terminated with also the NAT information like the flow start.

We log several firewalls like this and haven't had any issues with that.

View solution in original post

aleabrahao · ‎08-03-2023

Probably Your syslog server is misconfigured.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

dunky · ‎08-03-2023

Nope, its not filtering anything, displays all the other events, just nothing from the L3 rules where I ticked the syslog box

aleabrahao · ‎08-03-2023

Check the documentation. It's very simple to configure.

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ww^ · ‎08-03-2023

You need to send "flows" to syslog

And you need to select the syslog checkbox behind the firewall rule

dunky · ‎08-03-2023

That then sends absolutely everything, not just the rules where I tick the syslog box - I only want to see what is hitting the rules I have ticked the syslog box on.

ww^ · ‎08-03-2023

Thats not possible.

You get the flow and hits. Or nothing

You would need to filter on the syslog server itself

dunky · ‎08-03-2023

I get the flows but I dont see any hits arriving on the syslog server for the rules I have ticked.

Unless there are just so many i cant see them, Is there anything specific you are aware of in the text that I can filter by?

aleabrahao · ‎08-03-2023

Which syslog server are you using?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

dunky · ‎08-03-2023

visual syslog

aleabrahao · ‎08-03-2023

Maybe it will help you.

https://youtu.be/3wdYaI2D4Ow?t=159

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

joey.debra · ‎08-04-2023

So if you configured flows or firewall as a tag in the syslog server configuration on Network wide -> general then you can indeed tick boxes on your L3/4 rules and when they get hit they will log to the syslog in 3 lines.

A flow start log will be made which shows the normal and translated IP addresses (can't be filtered)

A flow or firewall log that actually shows a logic match at the end so you'll have to think what ports and protocols you are matching in that rule to recognize the matched rule.

examples:

protocol=tcp sport=43958 dport=443 pattern: allow all

protocol=udp sport=54366 dport=53 pattern: Group Policy Allow

I don't have access to our logging server to show better examples right now.

A flow end log after the connection is terminated with also the NAT information like the flow start.

We log several firewalls like this and haven't had any issues with that.

dunky · ‎08-04-2023

Thats great, many thanks.

It sends every flow to the syslog server rather than just the ones Ive ticked the syslog box for though, but not an issue (other than generating unnecessary traffic), I've just filtered on the syslog server to show those where message contains "deny"