Syslog Server Overview and Configuration
Click 日本語 for Japanese
Overview
This article explains how to configure a syslog server to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS Switches. It provides examples of syslog messages and shows how to set up a server to collect and store them.
Types of syslog messages
Meraki devices send different categories of messages, called roles, depending on the product:
-
The MX Security Appliance sends four main roles: Event Log, IDS Security Alerts, URLs, and Flows.
-
MR Access Points send the same roles except IDS Security Alerts, and they add Air Marshal events.
-
MS Switches currently support only Event Log messages.
If the syslog server sits across a VPN, the source IP is 6.X.X.X when no VLANs run in VPN mode, when the MX runs in passthrough mode, or when the MX runs in Routed/NAT Single LAN mode.
Appliance/Wireless URLs
Any HTTP GET request generates a syslog entry.
Example: Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com
Summary: A client with IP address 192.168.10.3 sent an HTTP GET request for http://www.meraki.com.
With the release of MX26.1, the URLs role splits into Wireless URLs and Appliance URLs, selectable per product. Existing configurations that selected the URLs role now have both Appliance URLs and Wireless URLs selected.
Appliance/Wireless Flows
Inbound and outbound flows generate a syslog message that shows the source, destination, port numbers, and the matched firewall rule. For inbound rules, 1 = deny and 0 = allow.
Examples:
Inbound Flow: 948077334.886213117 MX60 flows src=39.41.X.X dst=114.18.X.X protocol=udp sport=13943 dport=16329 pattern: 1 all
Outbound Flow: 948136486.721741837 MX60 flows src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all
Summary: The inbound example shows a blocked UDP flow from 39.41.X.X to the WAN IP of the MX. The outbound example shows an allowed outbound flow for a DNS request.
In firmware MX18.101 and newer, the "flows" syslog message changes to "firewall", "vpn_firewall", "cellular_firewall", or "bridge_anyconnect_client_vpn_firewall" depending on the matched rule. Using the outbound flow, the updated message reads:
948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all
With the release of MX26.1, the Flows role splits into Wireless Flows and Appliance Flows, selectable per product. Existing configurations that selected the Flows role now have both Appliance Flows and Wireless Flows selected.
Appliance/Switch/Wireless Event Log
The Event Log role sends a copy of the messages found in the Dashboard under Network-wide > Monitor > Event log.
Example: May 10 18:46:04 192.168.10.1 1 948080570.911780502 MX60 events dhcp lease of ip 192.168.10.252 from server mac 00:18:0A:XX.XX.XX for client mac 58:67:1A:XX.XX.XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4
Summary: A client with MAC address 00:18:0A:XX.XX.XX leased an IP address from the MX, and the MX provided 8.8.8.8 and 8.8.4.4 as DNS servers to the client.
Appliance Security Events
Security events generate a syslog message (MX Security Appliance-only role).
Example: 1490031971.951780201 ANB_MX80 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1490031971.693691 shost=00:15:5D:1E:08:04 direction=egress protocol=udp/ip src=192.168.30.10:49243 dst=71.10.216.1:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query
Summary: An IDS syslog message generated when a .tk DNS query went from 192.168.30.10 to 71.10.216.1.
Wireless Air Marshal Events
Air Marshal events generate a syslog message describing the detected wireless traffic.
Example: 1621528337.761795645 mr56 airmarshal_events type='containing_device' ssid='Test_Air-Marshal' bssid='FF:FF:FF:FF:FF:FF' src=''02:18:6A:XX:XX:XX' dst='FF:FF:FF:FF:FF:FF' wired_mac='' vlan_id='' channel='44' rssi='45' fc_type='0' fc_subtype='5'
Summary: A syslog message generates when the access point attempts to disassociate a client from a contained SSID.
For more information on Syslog Event Types and a list of log samples for each product, please refer to this article.
Syslog message structure will vary between switch models For example, when a cycle port was conducted on an MS120 (MS17.2.1) and a C9300 (IOS XE 17.15.3), syslog messages and structure are reported differently:

Prerequisites
- A host with enough storage to run the syslog server. Syslog messages, especially flows, consume large amounts of disk space.
- For encrypted syslog: an MX Security Appliance running MX26.1 firmware or higher. TCP syslog (with or without TLS) requires MX26.1 and above.
- For FQDN server addresses: MX26.1 firmware or higher.
- A syslog server application. On Linux, this example uses syslog-ng. Other operating systems have alternatives (for example, Kiwi Syslog for Windows).
Encrypted syslog is currently supported only on MX Security Appliances running MX26.1. MS and MR will support it in a future release. Z-series Teleworker Gateways do not support encrypted syslog.
Step-by-step instructions
Configure a syslog server on Linux
The following commands show an example configuration on Ubuntu 13.04 using syslog-ng to gather syslog information from an MX Security Appliance.
These commands are an example for demonstration. Refer to your server documentation for specific instructions.
-
Install the syslog application: sysadmin@ubuntu:~$ sudo apt-get install syslog-ng
-
Open the configuration file in an editor. This example uses nano: sysadmin@ubuntu:~$ sudo nano /etc/syslog-ng/syslog-ng.conf
-
Choose one of the two logging options below. In this example, the MX LAN IP is 192.168.10.1 and the syslog server listens on 192.168.10.241, UDP port 514. Update these values to match your MX LAN IP and syslog server. Configure only one option.
- Option 1 - Log all messages to /var/log/meraki.log:
#define syslog source
source s_net { udp(ip(192.168.10.241) port(514)); };
#create filter to match traffic (this filter will catch all syslog messages that come from the MX)
filter f_meraki { host( "192.168.10.1" ); };
#define a destination for the syslog messages
destination df_meraki { file("/var/log/meraki.log"); };
#bundle the source, filter, and destination rules together with a logging rule
log { source ( s_net ); filter( f_meraki ); destination ( df_meraki ); };
- Option 2 - Log different message types to individual log files:
#define syslog source
source s_net { udp(ip(192.168.10.241) port(514)); };
#create individual filters to match each of the role categories
filter f_meraki_urls { host( "192.168.10.1" ) and match("urls" value ("MESSAGE")); };
filter f_meraki_events { host( "192.168.10.1" ) and match("events" value ("MESSAGE")); };
filter f_meraki_ids-alerts { host( "192.168.10.1" ) and match("ids_alerted" value ("MESSAGE")); };
filter f_meraki_flows { host( "192.168.10.1" ) and match("flows" value ("MESSAGE")); };
#define individual destinations for each of the role categories
destination df_meraki_urls { file("/var/log/meraki_urls.log"); };
destination df_meraki_events { file("/var/log/meraki_events.log"); };
destination df_meraki_ids-alerts { file("/var/log/meraki_ids-alerts.log"); };
destination df_meraki_flows { file("/var/log/meraki_flows.log"); };
#bundle the source, filter, and destination rules together with a logging rule for each role category
log { source ( s_net ); filter( f_meraki_urls ); destination ( df_meraki_urls ); };
log { source ( s_net ); filter( f_meraki_events ); destination ( df_meraki_events ); };
log { source ( s_net ); filter( f_meraki_ids-alerts ); destination ( df_meraki_ids-alerts ); };
log { source ( s_net ); filter( f_meraki_flows ); destination ( df_meraki_flows ); };
-
Restart the syslog-ng process: sysadmin@ubuntu:~$ sudo /etc/init.d/syslog-ng restart
Configure the Dashboard
-
Go to Network-wide > Configure > General.
-
Select Add a syslog server to define a new server.
-
Enter an IP address and UDP port number, and select the roles to send to the server. You can configure multiple syslog servers.
-
Select Update syslog servers.

In single device-type networks (Appliance-only, Switch-only, or Wireless-only), syslog servers appear under the Logging section instead of Reporting.
Fully-qualified Domain Names (FQDNs) are a supported Server address option beginning with MX26.1 firmware.
Configure encrypted (TLS) syslog
TLS encryption over TCP, defined in RFC 5425, secures syslog traffic sent over an insecure medium.
-
Configure a syslog server, port, and TCP protocol. TLS encryption is only supported over TCP.
-
Select TCP so you can check the Encrypted (TLS) syslog checkbox.
-
Enable the Encrypted (TLS) syslog checkbox.
Because encrypted syslog currently supports only MX Security Appliances, configure only Appliance Event log, Appliance Flows, and/or Appliance URLs for a server set to encrypted syslog. Add a separate syslog server entry for Switch or Wireless roles.

Certificate authentication
By default, the MX authenticates the syslog server's digital certificate using the Common CA Database ((CCADB). To use your own CA bundle:
-
Upload your CA bundle on the Organization > Certificates page.
-
Select Select a certificate next to the Enable checkbox for Encrypted (TLS) syslog and choose your uploaded bundle.
If you do not upload and select a CA bundle for a given syslog server configuration, that configuration uses the CCADB certificate bundle to authenticate the server's digital certificate.

Enable or disable per-rule flow logging
If you enable the Appliance Flows role on an MX, enable or disable logging for individual firewall rules on the Security & SD-WAN > Configure > Firewall page, under the Syslog column.

Troubleshooting
Troubleshooting Syslog
If the syslog server is across a VPN, the source IP will be 6.X.X.X, provided no VLANs are in VPN mode, the MX is in passthrough mode, or the MX is in Routed/NAT Single LAN mode.
Storage allocation
Syslog messages can take up a large amount of disk space, especially when collecting flows. When choosing a host to run the syslog server, ensure enough storage space to hold the logs. Consult the syslog-ng man page for information on keeping logs for only a certain amount of time.
Errant underscores
When displaying device hostnames, the system replaces any character that is not a letter (a–z, A–Z), number (0–9), or underscore (_) with an underscore. This is expected behavior and may occur with hostnames that contain unsupported special characters.
Expected traffic flow
Syslog traffic flows to the server in one of three scenarios, depending on the route type used to reach the server.
Scenario 1 – Reachable via LAN: The MX sources traffic from the VLAN interface where the server resides if the syslog server is on the LAN of the MX. The transit VLAN interface is used if the device is only accessible via static route.
Scenario 2 – Reachable via public interface: The MX sources traffic from the public interface (WAN) if the syslog server is accessible via the WAN link.
Scenario 3 – Reachable via AutoVPN: The MX sources traffic from the interface of the highest VLAN participating in AutoVPN if the syslog server is accessible via AutoVPN. If the traffic passes through the site-to-site AutoVPN connection, the traffic is subject to the Site-to-site outbound firewall rules, so you may need an allow rule.
To configure this allow rule:
-
Go to Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings.
-
Select Add a rule.

If full-tunnel VPN is configured on the appliance, use VPN Full-Tunnel Exclusion together with encrypted syslog to send secured syslog traffic to a syslog server on the Internet.
If outbound syslog traffic is blocked with a site-to-site VPN firewall rule that is syslog-enabled, the blocks will be logged for each generated syslog packet, and they will not reach the configured syslog server.
Troubleshoot encrypted syslog connectivity
Encrypted (TLS) syslog is available on MX Security Appliances running MX26.1 firmware or higher. If an MX Security Appliance is configured for encrypted syslog and downgraded below MX26.1, it will not send syslog whatsoever and would need to be re-configured for syslog without encryption.
The Z-series Teleworker Gateways do not support encrypted syslog. Switches and wireless access points will support Encrypted (TLS) syslog in their future releases.
Due to a now resolved issue, encrypted syslog deployed in a Configuration Template prior to March 6, 2026 will not work properly and will not send encrypted or unencrypted syslog. To resolve this, delete and then readd the encrypted syslog server entry in the Configuration Template.

