Graylog 6.3.1 not ingesting data from Meraki devices

Hello,

[I had posted this last week with the information in the incorrect order. I am re-posting in hopes of getting a response.]

I’m in the process of migrating from a Graylog 4.2.9 system to a 6.3.1 system.
Currently, we have Meraki devices successfully sending syslog data to the 4.2.9 system
using a Raw/Plaintext UDP Input with no extractors. It works fine just as is.

When sending to the Graylog 6 server, the log fills with errors about a date/time format
issue very quickly. I’ve posted a log snippet already.

I’ve researched and found information about needing an extractor on the Input, but I’ve
also read that extractors are being replaced by pipelines. At this point I’m a bit confused
as to how to solve this so I’m reaching out in hopes of getting some help.

Details:

1. Describe your incident:
   Graylog 6.3.1 not ingesting data from Meraki devices
2. Describe your environment:
   OS Information: RHEL 9.6
   Package Version:
   Graylog: 6.3.1

Service logs, configurations, and environment variables:
Example log data snippet from the version 6 server:
2025-07-24T14:00:13.150-05:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=6dac3fe3-68c0-11f0-9a89-506b8d8345aa, messageQueueId=312117532, codec=syslog, payloadSize=164, timestamp=2025-07-24T19:00:13.150Z, seqenceNr=3268755, remoteAddress=/10.21.11.254:40214}
java.lang.IllegalArgumentException: Invalid format: “1753383613.119186567” is malformed at “3.119186567”
at org.joda.time.format.DateTimeFormatter.parseDateTime(DateTimeFormatter.java:953) ~[graylog.jar:?]

3. What steps have you already taken to try and solve the problem?
   I’ve copied the working setup (Inputs, Streams/Rules, etc) from the version 4
   system into the version 6 system however, when sending Meraki data to the 6.3.1
   system, the graylog-server log file fills up with errors about the date/time
   format and I see no Meraki data when searching for it.

I researched this found answers about needing to use the Raw/Plaintext UDP Input for
the Meraki data, which I already am on both systems.

I know the Meraki syslog data is getting to the server unimpeded by showing the connection in our firewall logs, and also by way of seeing the huge amounts of log errors this is causing.
It’s causing the logs to rotate very quickly.

4. How can the community help?
   Since the version 6 server isn’t ingesting the Meraki data, but the version 4 server is,
   I’d like to know if there some difference between version 4 and 6 that would require a Raw/Plaintext UDP input in 6 to need further customization in order to ingest Meraki
   syslog data successfully. If so, I guess I need some help figuring out exactly what needs
   to be done to get this data ingested.

Thanks in advance for any help.! If there’s more info I can send, please let me know and I will share it.

Thank You

To rephrase:

When sending Meraki data to the Graylog 6 server, the log fills with errors about a date/time format issue very quickly. I’ve posted a log snippet below.

Unfortunately the error log contains neither the actual message content or the stack trace, so a bit of digging is required.
Please share a sanitized version of a Meraki log message. We need to find out where the offending value is coming from; and why GL expects it to be in date format.
Then you can write a pipeline rule to fix up data, as needed.

This is a raw packet from tcpdump. I’ve sanitized most of it and hopefully left enough to work with. I’m assuming it’s the leading epoch timestamp and what’s after it that’s causing the issue but I’m simply not sure.

Msg: 1 1753808310.845956522 ##### ############ src=############### dst=############### protocol=tcp sport=##### dport=##### pattern: #######

GL4 is ingesting these just fine. I don’t see any Grok patterns or Pipeline rules in place for this data on our GL4 server either. Does GL6 now require custom processing rules in order to ingest this data?

Thank You - I really appreciate the help.

1753808310 is the timestamp in UNIX epoch format. I’m guessing that 845956522 is the device ID.

Clearly we are trying to parse the entire string instead of splitting at the period.

I notice that the error log shows that this is using syslog codec, but on 4.x you were using raw. Please double-check that you are using raw input on 6.x.

Right - that first bit is an epoch timestamp.

I also see what you’re referring to regarding the syslog codec in the log.

I am using the “Raw/Plaintext UDP” input in both 4.x and 6.x, and the settings pages look very much the same between 4.x and 6.x. If there is a setting other than what I see in the “Editing Input ” page, can you point me to it please?

Thanks

I believe I have resolved this issue.

I was using port 514 and forwarding that to port 1514 for Graylog on the old server, but hadn’t duplicated that local firewall configuration properly on the new server. I’m now seeing the Meraki data coming in on the GL 6 server.

Thanks very much for your help! Hopefully I didn’t chew up too much of your time on this.

Best Regards!

Great - thanks for posting the resolution

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.