Solved: Preferred Syslog Server

win2kseries1 · ‎11-27-2019

Hello Experts,

Looking to add a syslog server to MX100, any suggestions?I'm new to building a syslog server. Thanks.

Hubble

KRobert · ‎11-27-2019

I had to discover a better real-time syslog monitor once we transitioned to Meraki MXs for our Firewalls. I found Syslog Watcher as an option. You can get a 30-day free trial and if needed, support can extend it...and extend it...and extend....I digress.

We ended up purchasing it because it is a pretty powerful real time monitoring tool and it only cost $250 for a year or $450 for 3 years.

It has helped tremendously with real-time traffic viewing from the firewall. If anyone questions whether or not data is getting to, through, or blocked by the firewall, this software can let you know and answer right away. Filtering is pretty simple and you can store logs to go back and query previous logs.

We use Solarwinds Orion for an SNMP server, but for syslog it was missing a lot of the features that Syslog watcher made up in .

View solution in original post

Nolan H. · ‎11-27-2019

Does it have to be free?
Do you have a budget?

win2kseries1 · ‎12-01-2019

Free trial first will be ideal

Brandon Svec · ‎11-27-2019

I use https://papertrailapp.com/. It has a free tier and kind of goes with the cloud concept of Meraki well.

-- please remember to rate and mark answered helpful posts --

SNSGS · ‎04-26-2021

@Brandon Svec I see that PaperTrail has pricing based on storage capacity rather than number of endpoints. Are you able to provide an estimate of storage required per switch. I'm looking at deploying around 70 switches. Thanks.

Brandon Svec · ‎04-27-2021

@SNSGS I don't think I can estimate and I suppose it will depend on each environment and which messages you choose to send, but I do have dozens of devices sending what seems to be a lot of messages for only $10/mo. You can also filter out messages on the receiving end that will not count toward your quota.

Best.

-- please remember to rate and mark answered helpful posts --

KRobert · ‎11-27-2019

I had to discover a better real-time syslog monitor once we transitioned to Meraki MXs for our Firewalls. I found Syslog Watcher as an option. You can get a 30-day free trial and if needed, support can extend it...and extend it...and extend....I digress.

We ended up purchasing it because it is a pretty powerful real time monitoring tool and it only cost $250 for a year or $450 for 3 years.

It has helped tremendously with real-time traffic viewing from the firewall. If anyone questions whether or not data is getting to, through, or blocked by the firewall, this software can let you know and answer right away. Filtering is pretty simple and you can store logs to go back and query previous logs.

We use Solarwinds Orion for an SNMP server, but for syslog it was missing a lot of the features that Syslog watcher made up in .

win2kseries1 · ‎12-01-2019

Thanks, I’ll try that

Philip D'Ath · ‎11-28-2019

I like Linux and for be I would be using Ubuntu and its built in syslog service. This is a complete step by step guide.

https://computingforgeeks.com/how-to-configure-rsyslog-centralized-log-server-on-ubuntu-18-04-lts/

win2kseries1 · ‎12-01-2019

Thanks I’ll look into it

Christian_Ney · ‎12-02-2019

Splunk and ELK (Elasticsearch, Logstash, Kibana) even more so are great tools for monitoring and visualizing. The downside is the steeper learning curve, but it's deinitely worth it!

KRobert · ‎12-02-2019

Now were looking at SIEMs! SIEMs are exciting and awesome. A whole different league when it comes to reporting. Good idea @Christian_Ney.

TheAlchemist1 · ‎10-20-2022

@Philip D'Ath Sorry for asking a rather Linux question than a Meraki one but unable to get any syslog info on the rsyslog server installed on ubunto server. Below are the details of the config file.

I am trying to run commands like cat /var/log/messages and tail -f /var/log/messages to get logs from Meraki network.

# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

Philip D'Ath · ‎10-20-2022

It looks like the filenames might be /var/log/%HOSTNAME%/%PROGRAMNAME%.log.

Do a "ls -l /var/log", and look for any extra log files that might reference the host device.

TheAlchemist1 · ‎10-20-2022

Attached image shows various other files/directories. Name of the server is syslog. Still unable to get any logs out of Meraki.