For the Mac OS X, you can use Splunk–which enables system monitoring and syslog events. In fact, Splunk is known as the tool for operational intelligence. Also, you can configure Splunk as a forwarder to your central monitoring server. Syslog free download - TheOne SysLog Sender, SysLog, Syslog Watcher, and many more programs.
A syslog server can be configured to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS switches. This document will provide examples of syslog messages and how to configure a syslog server to store the messages.
Kiwi Syslog Server Free Edition View and archive syslog messages and SNMP traps in real time With Kiwi Syslog Server Free Edition, you can collect, view, and archive. Mac already comes with syslogd, which is the Apple System Log server. It is basically a daemon that processes syslog messages but to be honest, it’s pretty old and basic.
Types of Syslog Messages
The MX Security Appliance supports sending four categories of messages/roles: Event Log, IDS Alerts, URLs, and Flows. MR access points can send the same roles with the exception of IDS alerts. MS switches currently only support Event Log messages.
URL
Any HTTP GET requests will generate a syslog entry.
A client with IP address 192.168.10.3 sent a HTTP GET request for http://www.meraki.com.
Flows
Inbound and outbound flows will generate a syslog message showing the source and destination along with port numbers and the firewall rule that they matched. For inbound rules, 1=deny and 0=allow.
The inbound flow example shows a blocked UDP flow from 39.41.X.X to the WAN IP of the MX. The outbound flow shows an allowed outbound flow for a DNS request.
Appliance/Switch/Wireless Event Log
A copy of the messages found in the dashboard under Network-wide > Monitor > Event log.
Example:
May 10 18:46:04 192.168.10.1 1 948080570.911780502 MX60 events dhcp lease of ip 192.168.10.252 from server mac 00:18:0A:XX.XX.XX for client mac 58:67:1A:XX.XX.XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4 Download revit for mac free.
Summary:
A client with MAC address 00:18:0A:XX.XX.XX leased an IP address from the MX and the MX provided 8.8.8.8 and 8.8.4.4 as DNS servers to the client.
Security Events
Any security events will generate a syslog message (MX security appliance only role).
A beacon was sent by a device that exists on the LAN, generating a rogue SSID event that resulted in a syslog message.
Log Samples and More Information
For more information on Syslog Event Types and a list of log samples for each product, please refer to this article.
Configuring a Syslog Server
A syslog server can easily be configured on a Linux system in a short period of time, and there are many other syslog servers available for other OSes (Kiwi Syslog for Windows, for example).
The following commands detail an example syslog server configuration on Ubuntu 13.04 using syslog-ng, to gather syslog information from an MX security appliance.
Note: The following commands outline an example configuration for demonstration purposes. Please refer to your server documentation for specific instructions and information.
The first step is to install the syslog application:
Once syslog-ng has been installed it needs to be configured to receive log messages from the MX. These instructions will configure syslog-ng to store each of the role categories in their own log file. There will be an individual log file for URLs, Event Logs, etc. Alternatively, it could be configured to store all logs in one file. Use any appropriate editor to make changes to the syslog-ng configuration file. In this example nano is used to edit the file.
The LAN IP of the MX in this example will be 192.168.10.1. The syslog server is listening on 192.168.10.241 UDP port 514. Update as needed to reflect the LAN IP of the MX and the syslog server being configured. The first section of code will configure all syslog messages from the MX to be stored in /var/log/meraki.log. The second section of code will use regular expressions to match each of the role categories and store them in individual log files. Only one of the options needs to be configured.
Option 1 - Log all messages to /var/log/meraki.log:
Option 2 - Log different message types to individual log files:
Enterprise Syslog Server
The final step will restart the syslog-ng process:
Configure Dashboard
Syslog servers can be defined in the Dashboard from Network-wide > Configure > General.
Click the Add a syslog server link to define a new server. An IP address, UDP port number, and the roles to send to the server need to be defined. Multiple syslog servers can be configured.
If the Flows role is enabled on an MX security appliance, logging for individual firewall rules can be enabled/disabled on the Security appliance > Configure > Firewall page, under the Logging column:
Additional Considerations
Syslog messages can take a up a large amount of disk space. When deciding on a host to run the syslog server make sure to have enough storage space on the host to hold the logs. Consult the syslog-ng man page for further information on only keeping logs for a certain amount of time.
If the environment has multiple MX devices using site-to-site VPN, and logging is done to a syslog server on the remote side of the VPN, that traffic will be subject to the site-to-site firewall. As such, note that it may be necessary to create a Site-to-site firewall rule to allow the syslog traffic through. This is done from Security appliance > Configure > Site-to-site VPN > Organization-wide settings > Add a rule.
Best Free Windows Syslog Server
The source IP address needs to be the IP address of the highest vlan on the MX sending the syslog messages back to the syslog server. The destination IP address is the IP address of the syslog server. Change the destination port number if the syslog server does not use the standard UDP port 514 to listen on for syslog messages.