Meraki and Syslog-NG

JohnPaulPagano
Just browsing

Meraki and Syslog-NG

Hi,

 

I've been struggling epically to export legible logs from my Meraki devices to a server running Syslog-NG OSE 3.30. No matter what source driver I use on the server, I see errors like this (identifying details changed):

 

May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.881009670 HOSTNAME1 flows allow src=10.1.1.1 dst=10.2.1.1 mac=BLAH protocol=icmp type=0
May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.857281611 HOSTNAME2 flows allow src=10.1.1.2 dst=10.2.1.2 mac=BLAH protocol=icmp type=0

Is it possible that Meraki doesn't send messages that conform to RFC3164 or RFC5424? And if so, does that mean I have to parse them specially on my Syslog-NG server with an XML file in patterndb? Can anyone point to an example of one that I can look at?

 

Thanks!

 

3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal

I am using Graylog and not Syslog-NG, but there I have to use an input of "plain UDP" instead of "syslog UDP" to get my messages into the system.

Thanks for your reply. I have tried all of the Syslog-NG network drivers that seem relevant: default-network-drivers(), network(), and udp().

 

I suspect that Meraki's choice to send UNIX "epoch" timestamps--i.e, "1622231783.881009670"--rather than those formats specified in the syslog RFCs is a problem. 

alex-dna-tech
Comes here often

syslog-ng.conf

Spoiler

@version: 3.9

source s_network {
syslog(ip("0.0.0.0") port(5514) transport("udp") flags(no-parse));
};

destination d_local {
file("/var/log/messages");
};

log {
source(s_network);
destination(d_local);
};

"flags(no-parse)" works for me
Maybe the message can be parsed by a template. Inspired by Syslog-NG documentation

Get notified when there are additional replies to this discussion.