How to configure syslogs on Cisco Meraki?
Syslogs are crucial for tracking network activity, troubleshooting, and security monitoring. Cisco Meraki makes syslog configuration straightforward, offering detailed logging across its devices like MX Security Appliances, MR Access Points, and MS Switches. Here’s a quick summary of how to set it up:
- Step 1: Ensure you have admin access to the Meraki dashboard and a properly configured syslog server.
- Step 2: Navigate to the syslog settings:
- Combined Networks: Network-wide > Configure > General > Reporting
- Single-purpose Networks: Network-wide > Configure > Logging
- MX Security Appliances (Flow Logging): Security & SD-WAN > Configure > Firewall
- Step 3: Add your syslog server details (IP, UDP port) and select desired log types.
- Step 4: Configure traffic sources based on your server location (LAN, WAN, or VPN).
- Step 5: Ensure proper storage, firewall rules, and log retention policies.
Key Features of Meraki Syslogs
- MX Appliances: Logs events, IDS alerts, URLs, and flows.
- MR Access Points: Tracks events, URLs, and flows.
- MS Switches: Focuses on event logs.
Quick Tip
Use tools like LogCentral to simplify syslog management, automate log rotation, and enhance security.
Follow these steps to ensure efficient syslog setup and reliable network monitoring.
Before You Begin
Before setting up Cisco Meraki, make sure you have admin access to the dashboard and a properly configured syslog server.
Required Dashboard Access
You'll need administrator rights to navigate the following dashboard paths:
| Network Type | Configuration Path |
|---|---|
| Combined Networks | Network-wide > Configure > General |
| Single-purpose Networks | Network-wide > Configure > Logging |
For MX security appliances with Flow logging enabled, you'll also need access to Security & SD-WAN > Configure > Firewall.
Syslog Server Requirements
To ensure smooth operation, your syslog server needs to meet these conditions:
-
Network Connectivity
The server should be reachable through one of these methods:- Direct LAN connection
- WAN interface
- VPN tunnel
-
IP Configuration
Depending on your setup, configure the IP source:- LAN Setup: Use the VLAN interface as the traffic source.
- WAN Setup: Use the public interface.
- VPN Setup: Use the highest-numbered VPN VLAN as the source.
-
Firewall Configuration
If using a VPN, make sure to:- Set up "Site-to-site outbound firewall" rules for AutoVPN.
- Permit traffic from the MX's source IP to the syslog server.
- Open the appropriate UDP ports for syslog traffic.
-
Storage Requirements
Ensure your server has:- Enough storage for all logs, including flow data.
- Disk management policies to handle log retention.
- Backup systems in place for critical log data.
Once you've checked these requirements, you're ready to configure these settings in the Meraki dashboard.
Setting Up Syslogs in Meraki
Finding Syslog Settings
The syslog configuration location depends on your network type:
| Network Type | Configuration Path |
|---|---|
| Combined Networks | Network-wide > Configure > General > Reporting |
| Single-purpose Networks | Network-wide > Configure > Logging |
| MX Security with Flow Logging | Security & SD-WAN > Configure > Firewall |
Choose the path that matches your network setup to access the syslog settings.
Adding a Syslog Server
Here’s how you can add a syslog server to your Meraki network:
1. Access the Configuration Page
Navigate to the syslog settings page for your network.
2. Input Server Details
Click on "Add a syslog server" and provide the following:
- Server IP address
- UDP port number (default is typically 514)
- Log types you want the server to handle (select roles accordingly)
3. Set Traffic Source
The MX appliance automatically determines the traffic source:
- For LAN setups, it uses the VLAN interface.
- For WAN setups, it uses the public interface.
- For VPN setups, it uses the highest-numbered VPN VLAN.
Once configured, select the log types you need based on your monitoring goals.
Choosing Log Types
Refer to the earlier table for supported log types by device. For MX devices running firmware version 18.101 or newer, flow logging has been split into these categories:
- firewall
- vpn_firewall
- cellular_firewall
- bridge_anyconnect_client_vpn_firewall
Pick only the log types that align with your needs to ensure efficient storage and system performance.
Meraki Log Types Explained
Available Log Categories
Cisco Meraki organizes logs by device type to address various monitoring and security needs.
For MX Security Appliances, the log categories include:
| Log Type | Purpose | Example Format |
|---|---|---|
| Events (Auto VPN) | Tracks VPN connectivity changes | Peer address, ID verification, connectivity status |
| Events | Monitors uplink and DHCP events | Cellular status, failover events, DHCP information |
| URLs | Records HTTP GET requests | Source/destination IPs, MAC addresses, URL requests |
| Firewall | Logs Layer 3 firewall rule matches | IP addresses, protocols, ports, matched rules |
| IDS-Alerts | Detects potential security threats | Signature matches, priority levels, attack direction |
| Security Filtering | Reports malware protection events | File scans, blocked content, threat disposition |
For MS Switches, logs focus on network infrastructure events like port status changes, spanning-tree events, DHCP server monitoring, authentication events, power supply status, and virtual router operations.
MR Access Points capture critical wireless events, including device associations, authentications, packet flood detection, HTTP requests, and Layer 3 flows.
These categories allow you to choose logs tailored to your security and performance objectives.
Log Type Selection Guide
Choose log types based on your monitoring goals, whether focused on security, performance, or capacity:
-
For Security Monitoring:
- Enable IDS-Alerts, Security Filtering, and Firewall logs to safeguard your network.
- Use URL logs to track web access patterns.
-
For Network Performance:
- Monitor Events logs for infrastructure health.
- Enable Auto VPN logs to oversee remote connectivity.
- Analyze flow logs to understand traffic behavior.
-
For Capacity Planning:
- Use URL logs to gauge web usage.
- Analyze flow logs to identify bandwidth consumption.
- Track device utilization with Event logs.
Keep in mind that syslog messages, especially flow logs, can take up a lot of storage. Set retention policies that match your compliance needs and storage capacity.
sbb-itb-fdb6fcc
Syslog Configuration Tips
Optimal Log Settings
Set up syslog settings tailored to each device type to balance performance and resource use. For MX Security Appliances, you can enable selective firewall logging under Security & SD-WAN > Configure > Firewall. This targeted logging approach ensures key security events are logged without overloading the system.
Here's a quick look at performance considerations by device:
| Device Type | Recommended Log Types | Resource Impact |
|---|---|---|
| MX Security Appliance | Event Log, IDS Alerts (selective) | High - plan for storage needs |
| MR Access Points | Event Log, selective URL logging | Medium - manageable impact |
| MS Switches | Event Log only | Low - minimal storage required |
Traffic for syslog is automatically routed from the appropriate interface based on the server's location. Once configured, secure your setup to protect the integrity of your logging data.
Security Setup
Keep your syslog data secure with these steps:
- For VPN-connected syslog servers, set up Site-to-site outbound firewall rules in Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings > Add a rule. This ensures logs are securely transmitted across your network.
- For SNMP v2c monitoring, limit access by IP address to add an extra layer of protection.
The location of your syslog server also affects traffic routing:
- LAN-based server: Traffic originates from the local VLAN interface.
- WAN-accessible server: Traffic routes through the public interface.
- VPN-connected server: Traffic uses the highest-numbered VLAN IP within the VPN.
System Performance
Efficient logging is key to maintaining system performance and managing storage capacity. Here's how to strike the right balance:
1. Storage Management
Set retention policies in syslog-ng to prevent storage issues while staying compliant with logging requirements.
2. Traffic Flow Optimization
Ensure traffic is routed efficiently: local traffic uses the VLAN interface, internet traffic goes through the WAN, and VPN traffic is routed via the highest-numbered VLAN.
3. Resource Allocation
Monitor system performance and adjust log collection based on available resources. Focus on logging critical security events when resources are limited.
Fix Common Syslog Problems
Test Server Connection
When troubleshooting Meraki syslog connectivity, start by checking the network path between your devices and the syslog server. The type of connection determines how traffic is routed:
| Connection Type | Source IP | Required Configuration |
|---|---|---|
| LAN-based Server | Local VLAN interface | Verify VLAN routing is correct |
| WAN-accessible Server | Public interface | Check NAT settings |
| VPN-connected Server | Highest-numbered VLAN IP | Set up site-to-site firewall rules |
For VPN-connected servers, make sure to configure outbound firewall rules in the Organization-wide Site-to-site VPN settings. This is particularly important if your syslog server uses a 6.X.X.X address range in VPN Concentrator mode.
After confirming the connection, move on to checking log reception and configuration details.
Verify Log Reception
To ensure logs are being received, focus on these key areas:
-
Storage Capacity
Check the syslog server's storage to avoid log overflow. Use tools like syslog-ng to implement log rotation policies and maintain storage efficiency. -
Log Configuration
Review syslog server settings in the Meraki dashboard (Network-wide > Configure > General):- Confirm the correct IP address
- Verify the UDP port configuration
- Check the enabled log types
-
Firewall Settings
For MX security appliances, ensure that individual firewall rule logging is enabled. You can verify this under Security & SD-WAN > Configure > Firewall in the Syslog column.
Fix Setup Errors
If you've confirmed connectivity and log reception but problems persist, focus on resolving routing or security misconfigurations.
-
Network Routing Issues
Double-check that the routing follows the configurations outlined in the Test Server Connection table. -
Security Configuration
When dealing with SNMP v2c monitoring issues, ensure that IP-based access restrictions are correctly set up to allow secure log collection.
LogCentral for Meraki Syslogs
LogCentral and Meraki Setup
LogCentral simplifies managing syslogs for Meraki devices. It supports all major Meraki hardware, including MX Security Appliances, MR Access Points, and MS Switches [1]. This allows you to consolidate syslogs from your entire Meraki network in one secure platform.
By integrating directly with Cisco Meraki, LogCentral minimizes errors that can occur during manual syslog configuration. Here's a closer look at the features that make syslog management easier.
LogCentral Features
LogCentral is built with several capabilities tailored for Meraki systems:
| Feature | Description | Benefit |
|---|---|---|
| Live Visualization | Monitor and analyze logs in real time | Gain instant insights into network events |
| Long-term Retention | GDPR-compliant log storage | Maintain historical data for compliance |
| Intelligent Alerts | Automated notifications | Quickly address network issues |
| Multi-tenancy | Support for multiple organizations | Perfect for MSPs and enterprises |
| Automatic Firewalling | Automates IP management for better security | Strengthen network protection |
With 24/7 monitoring, LogCentral ensures you have constant visibility into your Meraki network's activity and security. This is especially useful for tracking the four main message types generated by MX Security Appliances: Event Logs, IDS Alerts, URLs, and Flows [1].
Start Using LogCentral
Ready to get started? Follow these steps to integrate LogCentral into your network:
1. Sign up for a LogCentral account and activate the 7-day free trial. 2. Select the Meraki devices you want to monitor. 3. Configure the log types that fit your needs: - Event logs for general system updates. - IDS alerts for security monitoring (specific to MX devices). - URL logs to track web activity. - Flow logs for traffic analysis.
LogCentral takes care of log storage and rotation, solving common problems with traditional syslog servers. It also includes role-based access control (RBAC) and smart IP management to keep your data secure while ensuring authorized personnel can access it. For MSPs, its multi-client dashboard makes managing multiple networks straightforward and efficient.
Summary
Setting up syslogs on Cisco Meraki networks requires a few key steps. First, you’ll need a dedicated syslog server. Then, access the Meraki dashboard to specify the server's IP address and UDP port [1]. For MX appliances, you'll also need to configure firewall rules under Security & SD-WAN > Configure > Firewall.
Different Meraki devices log varying details:
- MX appliances: Events, IDS alerts, URLs, and flows
- MR access points: Events, URLs, and flows
- MS switches: Events only
When implementing syslog, keep these points in mind:
- Ensure enough storage, especially for flow logs.
- Confirm proper firewall and network path settings.
- In AutoVPN setups, syslog traffic originates from the highest VLAN interface [2].
Tools like LogCentral simplify Meraki syslog management by automating storage rotation and security settings. This helps organizations avoid common pitfalls and ensures reliable log collection.
When done right, syslog configuration provides critical insights into network activity and supports compliance needs. Whether you’re using a traditional server or an automated tool like LogCentral, proper setup ensures consistent visibility and strong security monitoring.