Not receiving syslog from Cisco Meraki


(Nuwantha D) #1

Hi there…

I’ve configured syslog server in ubuntu 16.04 to receive Cisco meraki syslogs. It getting nothing from Cisco device.
Really i don’t know what to post here to get check. Please let me know what to post here to check what’s wrong with the configuration.

Appreciate your help.

Thank you.


(Jan Doberstein) #2
  • did you have configured the syslog input in Graylog?
  • did you configured your devices to send to this input (Port and protocol)?
  • did you checked if your device is able to reach Graylog (No firewall is blocking anything, routing is possible)
  • did you check your Graylog server.log?

(Nuwantha D) #3

Hi [Jan Doberstein],

Thank you so much for reply. Appreciate.

  • did you have configured the syslog input in Graylog?
    – Yes i have configured graylog input.

  • did you configured your devices to send to this input (Port and protocol)?
    –I have configured Cisco Meraki syslog: Port 1514 and ip 192.168.94.7 (local)

  • did you checked if your device is able to reach Graylog (No firewall is blocking anything, routing is possible)
    –I’ve check with the Visual Syslog server it receiving the Syslogs but Graylog receive nothing. Graylog installed on Ubuntu 16.04 VM. i’ve changed the default port to 1514 also.

  • did you check your Graylog server.log?

    2018-09-06T09:46:40+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now RUNNING
    2018-09-06T09:46:40+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now RUNNING
    2018-09-06T09:46:40+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now STARTING
    2018-09-06T09:46:40+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now STARTING
    2018-09-06T09:46:39+05:30 a3461752 / Evonsyssl Started up.
    2018-09-05T17:50:02+05:30 a3461752 / Evonsyssl SIGNAL received. Shutting down.
    2018-09-05T17:39:03+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now RUNNING
    2018-09-05T17:39:03+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now RUNNING
    2018-09-05T17:39:03+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now STARTING
    2018-09-05T17:39:03+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now STARTING
    2018-09-05T17:39:03+05:30 a3461752 / Evonsyssl Started up.
    2018-09-05T17:32:07+05:30 a3461752 / Evonsyssl Graceful shutdown initiated.
    2018-09-05T17:32:04+05:30 a3461752 / Evonsyssl SIGNAL received. Shutting down.
    2018-09-05T17:23:25+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now RUNNING
    2018-09-05T17:23:25+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now RUNNING
    2018-09-05T17:23:25+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now STARTING
    2018-09-05T17:23:25+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now STARTING
    2018-09-05T17:23:25+05:30 a3461752 / Evonsyssl Started up.
    2018-09-05T17:22:51+05:30 a3461752 / Evonsyssl Graceful shutdown initiated.
    2018-09-05T17:22:48+05:30 a3461752 / Evonsyssl SIGNAL received. Shutting down.
    2018-09-05T17:18:01+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now RUNNING
    2018-09-05T17:18:01+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now RUNNING
    2018-09-05T17:18:01+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now STARTING
    2018-09-05T17:18:01+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now STARTING
    2018-09-05T17:18:01+05:30 a3461752 / Evonsyssl Started up.
    2018-09-05T17:12:50+05:30 a3461752 / Evonsyssl Graceful shutdown initiated.
    2018-09-05T17:12:47+05:30 a3461752 / Evonsyssl SIGNAL received. Shutting down.
    2018-09-05T16:56:45+05:30 a3461752 / Evonsyssl Input [Syslog UDP/5b8e66cb0bf76d04b3ec792a] is now RUNNING
    2018-09-05T16:56:44+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now RUNNING
    2018-09-05T16:56:44+05:30 a3461752 / Evonsyssl Input [Syslog TCP/5b8f89020bf76d04bf7d344f] is now STARTING

Sorry if doing wrong because this is my first time with the Graylog. Help would be really appreciate. IS this configuration issue? I can post important configuration?

Thank you.


(Jan Doberstein) #4

in your Graylog UI on the Input page ( System / Inputs) you see the list of all input. on the right of each input you notice some stats - what did you see?

What you shared as server.log is from the UI, we would need the content of the logfile from your server. The location depends on the installation type: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


(Nuwantha D) #5

Hi [Jan Doberstein],

Thanks for reply. Yeah Inputs status is Running. NO issue. showing as 1Running [Green box]

Server Log Google drive link: http://gdurl.com/4QR0

Thank you so much.


(Jan Doberstein) #6

Did you see any Metrics on the page? Like in the following screenshot:

56


In your Graylog server.log I notice that you might have issues with your Elasticsearch. What Version of Elasticsearch have you running and is it running?

2018-09-04T15:04:56.055+05:30 INFO [IndexRetentionThread] Elasticsearch cluster not available, skipping index retention checks.

If you fix your Elasticsearch and make it available for Graylog (e.g. Graylog can reach it) than everything should run without issues.


(Nuwantha D) #7

Hi there,

Thank you so much for the reply.

Elastic search version is 6.4 i remember i’ve installed ElasticsSearch 6. Is any issue with ElasticSearch 6?

Metrix page showing like this:
gray1
Thank you so much.


(Jan Doberstein) #8

Is any issue with ElasticSearch 6?

Yes - please see the documentation:

http://docs.graylog.org/en/2.4/pages/installation/operating_system_packages.html#prerequisites

5.6.x is the latest supported Version.


(Nuwantha D) #9

Hi there,

Thank you so much for reply. Please tell what should i do? Full re-installation or remove ElasticSearch 6 and install Elastic search 5.x version.
Please can can you tell how can i do that?

Appreciate your help.


(Jan Doberstein) #10

you can just remove ES 6 - remove all files (including /var/lib/elasticsearch) and reinstall 5.6


(Nuwantha D) #11

Hi there…Thanks for the reply.

I have completely reinstalled Graylog and with VM. Now i have running Graylog, Elasticsearch and Mongodb.
But i still got nothing from cisco meraki syslogs.

Now elastic search version is 5.6.11

Document i followed:

https://docs.mongodb.com/manual/tutorial/install-mongodb-on-ubuntu/

http://docs.graylog.org/en/2.4/pages/installation/os/ubuntu.html

Graylog server log - http://gdurl.com/PjRF

Please let me know what is the issue, is there any other necessary configuration apart from that?
Metrix page also up and running.

Thank you so much.


(Jan Doberstein) #12

at least from the logfile your system is up and running. So Graylog isn’t the problem anymore.

You would need to sherlock your way - or better the way of the messages - and see where the messages flow is blocked. Check every system for firewalls, check if the sender can reach the receiver on that specific port.


(Nuwantha D) #13

Hi there,

Appreciate your help you’ve done so far. Thank you.

But i did everything i know i could get only local host (Ubuntu) logs. Got nothing from Cisco Meraki FIrewall. But i checked it receive Syslog to Visual Syslog server windows application.

Really i’m stucked. :no_mouth::no_mouth:

Thank you.


#14

Hi, I also have this issue… I cannot receive the logs from our Meraki’s.
I haven’t spent much time on it as yet, but if i have any break through’s i’ll let you know.


(Nuwantha D) #15

Hi angonroi

Thank you so much, if you found solution please post it here. If i found any solution i’ll post here too.
I’ve open another tread check here:

Thank you so much.:smiley::smiley:


(system) #16

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.