The Meraki cloud solution is a centralized management service that allows users to manage all of their Meraki network devices via a single simple and secure platform. Users are able to deploy, monitor and configure their Meraki devices via the Meraki dashboard web interface or via APIs.
Does this information look incorrect or out-of-date? Please contact us at support@socos.io.
A syslog server can easily be configured on a Linux system in a short period of time, and there are many other syslog servers available for other OSes (Kiwi Syslog for Windows, for example).
The following commands detail an example syslog server configuration on Ubuntu 13.04 using syslog-ng, to gather syslog information from an MX security appliance.
The following commands outline an example configuration for demonstration purposes. Please refer to your server documentation for specific instructions and information.
The first step is to install the syslog application:
sysadmin@ubuntu:~$ sudo apt-get install syslog-ng
Once syslog-ng has been installed it needs to be configured to receive log messages from the MX. These instructions will configure syslog-ng to store each of the role categories in their own log file. There will be an individual log file for URLs, Event Logs, etc. Alternatively, it could be configured to store all logs in one file. Use any appropriate editor to make changes to the syslog-ng configuration file. In this example nano is used to edit the file.
sysadmin@ubuntu:~$ sudo nano /etc/syslog-ng/syslog-ng.conf
The LAN IP of the MX in this example will be 192.168.10.1. The syslog server is listening on 192.168.10.241 UDP port 514. Update as needed to reflect the LAN IP of the MX and the syslog server being configured. The first section of code will configure all syslog messages from the MX to be stored in /var/log/meraki.log. The second section of code will use regular expressions to match each of the role categories and store them in individual log files. Only one of the options needs to be configured.
#define syslog source
source s_net { udp(ip(192.168.10.241) port(514)); };
#create filter to match traffic (this filter will catch all syslog messages that come from the MX)
filter f_meraki { host( "192.168.10.1" ); };
#define a destination for the syslog messages
destination df_meraki { file("/var/log/meraki.log"); };
destination df_meraki { file("/var/log/meraki.log"); };
log { source ( s_net ); filter( f_meraki ); destination ( df_meraki ); };
#define syslog source
source s_net { udp(ip(192.168.10.241) port(514)); };
#create individual filters to match each of the role categories
filter f_meraki_urls { host( "192.168.10.1" ) and match("urls" value ("MESSAGE")); };
filter f_meraki_events { host( "192.168.10.1" ) and match("events" value ("MESSAGE")); };
filter f_meraki_ids-alerts { host( "192.168.10.1" ) and match("ids_alerted" value ("MESSAGE")); };
filter f_meraki_flows { host( "192.168.10.1" ) and match("flows" value ("MESSAGE")); };
#define individual destinations for each of the role categories
destination df_meraki_urls { file("/var/log/meraki_urls.log"); };
destination df_meraki_events { file("/var/log/meraki_events.log"); };
destination df_meraki_ids-alerts { file("/var/log/meraki_ids-alerts.log"); };
destination df_meraki_flows { file("/var/log/meraki_flows.log"); };
#bundle the source, filter, and destination rules together with a logging rule for each role category
log { source ( s_net ); filter( f_meraki_urls ); destination ( df_meraki_urls ); };
log { source ( s_net ); filter( f_meraki_events ); destination ( df_meraki_events ); };
log { source ( s_net ); filter( f_meraki_ids-alerts ); destination ( df_meraki_ids-alerts ); };
log { source ( s_net ); filter( f_meraki_flows ); destination ( df_meraki_flows ); };
#The final step will restart the syslog-ng process:
`sysadmin@ubuntu:~$ sudo /etc/init.d/syslog-ng restart
Syslog servers can be defined in the Dashboard from Network-wide > Configure > General.
Click the Add a syslog server link to define a new server. An IP address, UDP port number, and the roles to send to the server need to be defined. Multiple syslog servers can be configured.
If the Flows role is enabled on an MX security appliance, logging for individual firewall rules can be enabled/disabled on the Security appliance > Configure > Firewall page, under the Logging column