Meraki and Syslog-NG

JohnPaulPagano
Just browsing

Meraki and Syslog-NG

Hi,

 

I've been struggling epically to export legible logs from my Meraki devices to a server running Syslog-NG OSE 3.30. No matter what source driver I use on the server, I see errors like this (identifying details changed):

 

May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.881009670 HOSTNAME1 flows allow src=10.1.1.1 dst=10.2.1.1 mac=BLAH protocol=icmp type=0
May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.857281611 HOSTNAME2 flows allow src=10.1.1.2 dst=10.2.1.2 mac=BLAH protocol=icmp type=0

Is it possible that Meraki doesn't send messages that conform to RFC3164 or RFC5424? And if so, does that mean I have to parse them specially on my Syslog-NG server with an XML file in patterndb? Can anyone point to an example of one that I can look at?

 

Thanks!

 

3 REPLIES 3
KarstenI
Kind of a big deal
Kind of a big deal

I am using Graylog and not Syslog-NG, but there I have to use an input of "plain UDP" instead of "syslog UDP" to get my messages into the system.

Thanks for your reply. I have tried all of the Syslog-NG network drivers that seem relevant: default-network-drivers(), network(), and udp().

 

I suspect that Meraki's choice to send UNIX "epoch" timestamps--i.e, "1622231783.881009670"--rather than those formats specified in the syslog RFCs is a problem. 

alex-dna-tech
Comes here often

syslog-ng.conf

Spoiler

@version: 3.9

source s_network {
syslog(ip("0.0.0.0") port(5514) transport("udp") flags(no-parse));
};

destination d_local {
file("/var/log/messages");
};

log {
source(s_network);
destination(d_local);
};

"flags(no-parse)" works for me
Maybe the message can be parsed by a template. Inspired by Syslog-NG documentation

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.