Meraki Cloud | Syslog-ng | No log

cypher88 · ‎04-08-2021

Working on forwarding syslog protocol log message to syslong-ng server.

I've got the configuration file in place but log location /var/log/meraki.log isn't recording any events/alerts.

server selinux is permissions and netstat shows its listention on 514. Meraki reporting syslog is setup correctly using ip and default 514

When i run packet capture using tcpdump, server is receiving messages, but none are being recorded in path defined on the syslog-ng.conf file

Any input is appreciated.

KRobert · ‎04-08-2021

This may help. https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/

cypher88 · ‎04-08-2021

I've given it a go before but service will not start when using filter f_meraki { facility(meraki); };

Per journal log it seems to get stuck at that configuration.

inderdeepsingh1 · ‎04-08-2021

Sample configs

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/logs/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/

Philip D'Ath · ‎04-08-2021

>port(15146))

It should be using port 500.

Brandon Svec · ‎04-08-2021

>It should be using port 500.

514 I think. or it can be changed in Meraki side to match 15146

-- please remember to rate and mark answered helpful posts --

Philip D'Ath · ‎04-08-2021

Oops, @Brandon Svec is correct. It should be 514.

cypher88 · ‎04-08-2021

Yea, i matched to what was setup on meraki 514... No dice... tail -f /var/log/meraki.log file still shows 0 bytes.. No writes

Philip D'Ath · ‎04-08-2021

Is there a host-based firewall running on the server?

cypher88 · ‎04-08-2021

iptables inactive

selinux permissive

firewalld.service inactive

Brandon Svec · ‎04-08-2021

That seems to indicate the trouble is server side. Can you check anything else on the server?

For a sanity check you could use papertrailapp.com it is a free cloud syslog server and pretty quick and easy to configure and test with, if nothing else.

-- please remember to rate and mark answered helpful posts --

inderdeepsingh1 · ‎04-08-2021

I hope you configured Syslog with the right configuration as described in Scenario 3 - Reachable via AutoVPN

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration

Check this article as well, if you are inline with the configurations

https://snehpatel.com/index.php/2019/09/11/configuring-syslog-in-meraki-device/

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/

cypher88 · ‎04-08-2021

The first url is for defined host IPs.

I'm sending from meraki cloud dashboard configuration page. Logs are hitting the server, it just not getting logged where I need them to be stored.

The second url you mentioned I keep running into following syntax error when restarting the service on the server.

filter f_meraki { facility(meraki); };

jonhar · ‎08-07-2023

In that example, the author used "meraki" as a facility. There's no such thing.

Meraki defaults to local0 for the facility and this is not something that can be changed.