Cisco Meraki cant sent Syslog to Graylog Open

Graylog Central (peer support)
1

Dear Community,

I hope everyone is fine, i have a Cisco Meraki Firewall MX-100 and i configure it to send syslog to my Graylog Open . The problem is that the logs do not appear in Graylog . Which Input i must add in Graylog to Receive Cisco Meraki Logs ? The Cisco Meraki and Graylog is in the same network. My Graylog version is Graylog 5.0.10. Thanks for your time i will waiting for your answers :slight_smile:

2

@m.tsimettas, you need a Syslog input for a syslog message.

If you are using one already, you may have a server time and/or timestamp issue. To check that, try setting the search window to return All Messages, and see if they show up there. If they do, come back and tell us what you see in the timestamps and I’ll give you suggestions on how to correct it.

3

What Graylog input are you using?

I believe cisco started defaulting to non RFC compliant syslog timestamps which cannot be processed by standard RFC compliance syslog inputs. You can use a Raw/Plaintext input though.

Meraki Syslog and Nanosecond Timestamps

Cisco Meraki devices are sometimes configured to send epoch timestamps with nanoseconds; the Graylog syslog input cannot parse these messages and will drop them. If your device is configured to send nanosecond timestamps please configure a Raw/Plaintext UDP input for Graylog and configure the Meraki to send logs to the raw input. This input must be configured to use a different port than any other existing UDP input. The parsing of epoch timestamps will be addressed in a future version of Graylog.
Secure Login

1 Like
4

@drewmiranda-gl, with the docs, FTW!

1 Like
5

Plain text will work, but if you wanted to save a lot of headaches down the road, I recommend ingesting Meraki logs with Logstash, processing the messages there, then sending to Graylog. I changed to Logstash ingestion and processing several months ago, separating each type of Meraki log into a different port with different rules, and ingesting all of this from 40 Meraki appliances. No Graylog pipelines or extractors to deal with or provide overhead for. YMMV.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.