How to configure syslogs on Cisco Meraki?

How to configure syslogs on Cisco Meraki?

Syslogs are crucial for tracking network activity, troubleshooting, and security monitoring. Cisco Meraki makes syslog configuration straightforward, offering detailed logging across its devices like MX Security Appliances, MR Access Points, and MS Switches. Here’s a quick summary of how to set it up:

  • Step 1: Ensure you have admin access to the Meraki dashboard and a properly configured syslog server.
  • Step 2: Navigate to the syslog settings:
    • Combined Networks: Network-wide > Configure > General > Reporting
    • Single-purpose Networks: Network-wide > Configure > Logging
    • MX Security Appliances (Flow Logging): Security & SD-WAN > Configure > Firewall
  • Step 3: Add your syslog server details (IP, UDP port) and select desired log types.
  • Step 4: Configure traffic sources based on your server location (LAN, WAN, or VPN).
  • Step 5: Ensure proper storage, firewall rules, and log retention policies.

Key Features of Meraki Syslogs

  • MX Appliances: Logs events, IDS alerts, URLs, and flows.
  • MR Access Points: Tracks events, URLs, and flows.
  • MS Switches: Focuses on event logs.

Quick Tip

Use tools like LogCentral to simplify syslog management, automate log rotation, and enhance security.

Follow these steps to ensure efficient syslog setup and reliable network monitoring.

Before You Begin

Before setting up Cisco Meraki, make sure you have admin access to the dashboard and a properly configured syslog server.

Required Dashboard Access

You'll need administrator rights to navigate the following dashboard paths:

Network TypeConfiguration Path
Combined NetworksNetwork-wide > Configure > General
Single-purpose NetworksNetwork-wide > Configure > Logging

For MX security appliances with Flow logging enabled, you'll also need access to Security & SD-WAN > Configure > Firewall.

Syslog Server Requirements

To ensure smooth operation, your syslog server needs to meet these conditions:

  • Network Connectivity
    The server should be reachable through one of these methods:

    • Direct LAN connection
    • WAN interface
    • VPN tunnel
  • IP Configuration
    Depending on your setup, configure the IP source:

    • LAN Setup: Use the VLAN interface as the traffic source.
    • WAN Setup: Use the public interface.
    • VPN Setup: Use the highest-numbered VPN VLAN as the source.
  • Firewall Configuration
    If using a VPN, make sure to:

    • Set up "Site-to-site outbound firewall" rules for AutoVPN.
    • Permit traffic from the MX's source IP to the syslog server.
    • Open the appropriate UDP ports for syslog traffic.
  • Storage Requirements
    Ensure your server has:

    • Enough storage for all logs, including flow data.
    • Disk management policies to handle log retention.
    • Backup systems in place for critical log data.

Once you've checked these requirements, you're ready to configure these settings in the Meraki dashboard.

Setting Up Syslogs in Meraki

Finding Syslog Settings

The syslog configuration location depends on your network type:

Network TypeConfiguration Path
Combined NetworksNetwork-wide > Configure > General > Reporting
Single-purpose NetworksNetwork-wide > Configure > Logging
MX Security with Flow LoggingSecurity & SD-WAN > Configure > Firewall

Choose the path that matches your network setup to access the syslog settings.

Adding a Syslog Server

Here’s how you can add a syslog server to your Meraki network:

1. Access the Configuration Page

Navigate to the syslog settings page for your network.

2. Input Server Details

Click on "Add a syslog server" and provide the following:

  • Server IP address
  • UDP port number (default is typically 514)
  • Log types you want the server to handle (select roles accordingly)

3. Set Traffic Source

The MX appliance automatically determines the traffic source:

  • For LAN setups, it uses the VLAN interface.
  • For WAN setups, it uses the public interface.
  • For VPN setups, it uses the highest-numbered VPN VLAN.

Once configured, select the log types you need based on your monitoring goals.

Choosing Log Types

Refer to the earlier table for supported log types by device. For MX devices running firmware version 18.101 or newer, flow logging has been split into these categories:

  • firewall
  • vpn_firewall
  • cellular_firewall
  • bridge_anyconnect_client_vpn_firewall

Pick only the log types that align with your needs to ensure efficient storage and system performance.

Meraki Log Types Explained

Available Log Categories

Cisco Meraki organizes logs by device type to address various monitoring and security needs.

For MX Security Appliances, the log categories include:

Log TypePurposeExample Format
Events (Auto VPN)Tracks VPN connectivity changesPeer address, ID verification, connectivity status
EventsMonitors uplink and DHCP eventsCellular status, failover events, DHCP information
URLsRecords HTTP GET requestsSource/destination IPs, MAC addresses, URL requests
FirewallLogs Layer 3 firewall rule matchesIP addresses, protocols, ports, matched rules
IDS-AlertsDetects potential security threatsSignature matches, priority levels, attack direction
Security FilteringReports malware protection eventsFile scans, blocked content, threat disposition

For MS Switches, logs focus on network infrastructure events like port status changes, spanning-tree events, DHCP server monitoring, authentication events, power supply status, and virtual router operations.

MR Access Points capture critical wireless events, including device associations, authentications, packet flood detection, HTTP requests, and Layer 3 flows.

These categories allow you to choose logs tailored to your security and performance objectives.

Log Type Selection Guide

Choose log types based on your monitoring goals, whether focused on security, performance, or capacity:

  • For Security Monitoring:

    • Enable IDS-Alerts, Security Filtering, and Firewall logs to safeguard your network.
    • Use URL logs to track web access patterns.
  • For Network Performance:

    • Monitor Events logs for infrastructure health.
    • Enable Auto VPN logs to oversee remote connectivity.
    • Analyze flow logs to understand traffic behavior.
  • For Capacity Planning:

    • Use URL logs to gauge web usage.
    • Analyze flow logs to identify bandwidth consumption.
    • Track device utilization with Event logs.

Keep in mind that syslog messages, especially flow logs, can take up a lot of storage. Set retention policies that match your compliance needs and storage capacity.

sbb-itb-fdb6fcc

Syslog Configuration Tips

Optimal Log Settings

Set up syslog settings tailored to each device type to balance performance and resource use. For MX Security Appliances, you can enable selective firewall logging under Security & SD-WAN > Configure > Firewall. This targeted logging approach ensures key security events are logged without overloading the system.

Here's a quick look at performance considerations by device:

Device TypeRecommended Log TypesResource Impact
MX Security ApplianceEvent Log, IDS Alerts (selective)High - plan for storage needs
MR Access PointsEvent Log, selective URL loggingMedium - manageable impact
MS SwitchesEvent Log onlyLow - minimal storage required

Traffic for syslog is automatically routed from the appropriate interface based on the server's location. Once configured, secure your setup to protect the integrity of your logging data.

Security Setup

Keep your syslog data secure with these steps:

  • For VPN-connected syslog servers, set up Site-to-site outbound firewall rules in Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings > Add a rule. This ensures logs are securely transmitted across your network.
  • For SNMP v2c monitoring, limit access by IP address to add an extra layer of protection.

The location of your syslog server also affects traffic routing:

  • LAN-based server: Traffic originates from the local VLAN interface.
  • WAN-accessible server: Traffic routes through the public interface.
  • VPN-connected server: Traffic uses the highest-numbered VLAN IP within the VPN.

System Performance

Efficient logging is key to maintaining system performance and managing storage capacity. Here's how to strike the right balance:

1. Storage Management

Set retention policies in syslog-ng to prevent storage issues while staying compliant with logging requirements.

2. Traffic Flow Optimization

Ensure traffic is routed efficiently: local traffic uses the VLAN interface, internet traffic goes through the WAN, and VPN traffic is routed via the highest-numbered VLAN.

3. Resource Allocation

Monitor system performance and adjust log collection based on available resources. Focus on logging critical security events when resources are limited.

Fix Common Syslog Problems

Test Server Connection

When troubleshooting Meraki syslog connectivity, start by checking the network path between your devices and the syslog server. The type of connection determines how traffic is routed:

Connection TypeSource IPRequired Configuration
LAN-based ServerLocal VLAN interfaceVerify VLAN routing is correct
WAN-accessible ServerPublic interfaceCheck NAT settings
VPN-connected ServerHighest-numbered VLAN IPSet up site-to-site firewall rules

For VPN-connected servers, make sure to configure outbound firewall rules in the Organization-wide Site-to-site VPN settings. This is particularly important if your syslog server uses a 6.X.X.X address range in VPN Concentrator mode.

After confirming the connection, move on to checking log reception and configuration details.

Verify Log Reception

To ensure logs are being received, focus on these key areas:

  • Storage Capacity
    Check the syslog server's storage to avoid log overflow. Use tools like syslog-ng to implement log rotation policies and maintain storage efficiency.

  • Log Configuration
    Review syslog server settings in the Meraki dashboard (Network-wide > Configure > General):

    • Confirm the correct IP address
    • Verify the UDP port configuration
    • Check the enabled log types
  • Firewall Settings
    For MX security appliances, ensure that individual firewall rule logging is enabled. You can verify this under Security & SD-WAN > Configure > Firewall in the Syslog column.

Fix Setup Errors

If you've confirmed connectivity and log reception but problems persist, focus on resolving routing or security misconfigurations.

  • Network Routing Issues
    Double-check that the routing follows the configurations outlined in the Test Server Connection table.

  • Security Configuration
    When dealing with SNMP v2c monitoring issues, ensure that IP-based access restrictions are correctly set up to allow secure log collection.

LogCentral for Meraki Syslogs

LogCentral

LogCentral and Meraki Setup

LogCentral simplifies managing syslogs for Meraki devices. It supports all major Meraki hardware, including MX Security Appliances, MR Access Points, and MS Switches [1]. This allows you to consolidate syslogs from your entire Meraki network in one secure platform.

By integrating directly with Cisco Meraki, LogCentral minimizes errors that can occur during manual syslog configuration. Here's a closer look at the features that make syslog management easier.

LogCentral Features

LogCentral is built with several capabilities tailored for Meraki systems:

FeatureDescriptionBenefit
Live VisualizationMonitor and analyze logs in real timeGain instant insights into network events
Long-term RetentionGDPR-compliant log storageMaintain historical data for compliance
Intelligent AlertsAutomated notificationsQuickly address network issues
Multi-tenancySupport for multiple organizationsPerfect for MSPs and enterprises
Automatic FirewallingAutomates IP management for better securityStrengthen network protection

With 24/7 monitoring, LogCentral ensures you have constant visibility into your Meraki network's activity and security. This is especially useful for tracking the four main message types generated by MX Security Appliances: Event Logs, IDS Alerts, URLs, and Flows [1].

Start Using LogCentral

Ready to get started? Follow these steps to integrate LogCentral into your network:

1. Sign up for a LogCentral account and activate the 7-day free trial. 2. Select the Meraki devices you want to monitor. 3. Configure the log types that fit your needs: - Event logs for general system updates. - IDS alerts for security monitoring (specific to MX devices). - URL logs to track web activity. - Flow logs for traffic analysis.

LogCentral takes care of log storage and rotation, solving common problems with traditional syslog servers. It also includes role-based access control (RBAC) and smart IP management to keep your data secure while ensuring authorized personnel can access it. For MSPs, its multi-client dashboard makes managing multiple networks straightforward and efficient.

Summary

Setting up syslogs on Cisco Meraki networks requires a few key steps. First, you’ll need a dedicated syslog server. Then, access the Meraki dashboard to specify the server's IP address and UDP port [1]. For MX appliances, you'll also need to configure firewall rules under Security & SD-WAN > Configure > Firewall.

Different Meraki devices log varying details:

  • MX appliances: Events, IDS alerts, URLs, and flows
  • MR access points: Events, URLs, and flows
  • MS switches: Events only

When implementing syslog, keep these points in mind:

  • Ensure enough storage, especially for flow logs.
  • Confirm proper firewall and network path settings.
  • In AutoVPN setups, syslog traffic originates from the highest VLAN interface [2].

Tools like LogCentral simplify Meraki syslog management by automating storage rotation and security settings. This helps organizations avoid common pitfalls and ensures reliable log collection.

When done right, syslog configuration provides critical insights into network activity and supports compliance needs. Whether you’re using a traditional server or an automated tool like LogCentral, proper setup ensures consistent visibility and strong security monitoring.