We recently introduced syslog integration to our MX Security Appliances, giving IT departments access to a firehose of network activity information. Splunk, a San Francisco-based company just down the road from Meraki, provides a great tool to tame the firehose and extract the most relevant information among the data. If you already have a syslog server in your environment, you can integrate it with your MX, too.
The first step is to point to the syslog server in the Meraki dashboard. Naturally, this step is simple: just enter the IP and port of the syslog server, and then add the roles to send to the server. You’ll find the syslog section on the Configure > Alerts and administration page. A note of caution: it’s easy to send large volumes of data to the syslog server, so it’s best to be selective about the roles you add. This where Splunk thrives. It takes massive amounts of data and makes it easy for you to search and find the information you need.
The next step is to view the data in the syslog environment. If you haven’t installed Splunk, you can download a free version that can index up to 500 Megabytes of data per day. You can then search in Splunk and see network event information from the MX. For example, you can see URLs that have been blocked by the MX’s content filtering or traffic flows blocked by the MX’s firewall.
Syslog is also a great tool to troubleshoot network issues. Sometimes devices aren’t operating as expected, and if you’re using the MX’s integrated stateful firewall, syslog can identify individual traffic flows, show firewall events, and help pinpoint why devices are experiencing issues.
The power of syslog integration lies in its depth and flexibility. The MX’s syslog integration lets you harness the information about your network and troubleshoot problems, investigate network and security events, and monitor your infrastructure. Splunk offers a great tool to understand all that information, and numerous other products can take advantage of it, too.