Meraki and Syslog-NG

AkinBredailik
New here

Meraki and Syslog-NG

I've been struggling epically to export legible logs from my Meraki devices to a server running Syslog-NG OSE 3.30. No matter what source driver I use on the server, I see errors like this (identifying details changed):

May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.881009670 HOSTNAME1 flows allow src=10.1.1.1 dst=10.2.1.1 mac=BLAH protocol=icmp type=0
May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.857281611 HOSTNAME2 flows allow src=10.1.1.2 dst=10.2.1.2 mac=BLAH protocol=icmp type=0

Is this a Meraki compliance problem with RFC3164 or RFC5424? Or just a message formatting idiosyncrasy? Does it mean that I have to parse Meraki syslog messages specially on my Syslog-NG server with an XML file in patterndb? If so, can anyone point to an example of one that I can look at?

Thanks!

2 REPLIES 2
CptnCrnch
Kind of a big deal

Until now, I haven't heard of any issues with Meraki and Syslog-NG. The docs (https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...) even mention it explicitly.

KarstenI
Kind of a big deal

On Graylog I have to specify the input as "RAW UDP" instead of Syslog. Do you have an option like that?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.