Meraki

Community

Meraki and Syslog-NG

JohnPaulPagano
Just browsing
‎May 28 2021 3:43 PM
‎May 28 2021 3:43 PM

Meraki and Syslog-NG

Hi,

 

I've been struggling epically to export legible logs from my Meraki devices to a server running Syslog-NG OSE 3.30. No matter what source driver I use on the server, I see errors like this (identifying details changed):

 

May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.881009670 HOSTNAME1 flows allow src=10.1.1.1 dst=10.2.1.1 mac=BLAH protocol=icmp type=0
May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.857281611 HOSTNAME2 flows allow src=10.1.1.2 dst=10.2.1.2 mac=BLAH protocol=icmp type=0

Is it possible that Meraki doesn't send messages that conform to RFC3164 or RFC5424? And if so, does that mean I have to parse them specially on my Syslog-NG server with an XML file in patterndb? Can anyone point to an example of one that I can look at?

 

Thanks!

 

0 Kudos
3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal
‎May 29 2021 2:35 AM
‎May 29 2021 2:35 AM

I am using Graylog and not Syslog-NG, but there I have to use an input of "plain UDP" instead of "syslog UDP" to get my messages into the system.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
JohnPaulPagano
Just browsing
‎May 31 2021 5:50 PM
‎May 31 2021 5:50 PM

Thanks for your reply. I have tried all of the Syslog-NG network drivers that seem relevant: default-network-drivers(), network(), and udp().

 

I suspect that Meraki's choice to send UNIX "epoch" timestamps--i.e, "1622231783.881009670"--rather than those formats specified in the syslog RFCs is a problem. 

0 Kudos
alex-dna-tech
Comes here often
‎Nov 9 2021 10:57 PM
‎Nov 9 2021 10:57 PM

syslog-ng.conf

Spoiler

@version: 3.9

source s_network {
syslog(ip("0.0.0.0") port(5514) transport("udp") flags(no-parse));
};

destination d_local {
file("/var/log/messages");
};

log {
source(s_network);
destination(d_local);
};

"flags(no-parse)" works for me
Maybe the message can be parsed by a template. Inspired by Syslog-NG documentation

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.