-2

I've been struggling epically to export legible logs from my Meraki devices to a server running Syslog-NG OSE 3.30. No matter what source driver I use on the server, I see errors like this (identifying details changed):

May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.881009670 HOSTNAME1 flows allow src=10.1.1.1 dst=10.2.1.1 mac=BLAH protocol=icmp type=0
May 28 15:56:23  syslog-ng[32734]: Error processing log message: <134>1>@< 1622231783.857281611 HOSTNAME2 flows allow src=10.1.1.2 dst=10.2.1.2 mac=BLAH protocol=icmp type=0

Is this a Meraki compliance problem with RFC3164 or RFC5424? Or just a message formatting idiosyncrasy? Does it mean that I have to parse Meraki syslog messages specially on my Syslog-NG server with an XML file in patterndb? If so, can anyone point to an example of one that I can look at?

Thanks!

John-Paul Pagano
  • 27
  • 1
  • 4

1 Answers1

0

I have found the answer. Meraki presently sends syslog messages with UNIX time format rather than in ISO 8601 format. This won't work with Syslog-NG's network drivers--i.e. default-network-drivers(), syslog(), and network()--unless you bend over backwards to parse and rewrite the messages to be compliant with RFC 5424.

Nightmare and frankly strange choice on Cisco's part.

John-Paul Pagano
  • 27
  • 1
  • 4