I’ve setup a syslog UDP input on port 5114(not 514).
I’ve porting my Meraki MX at the server.
I can see the messages go up in the top right corner.
But nothing every appears in the search.
I can’t see anything being picked up in the default indice.
What am I doing wrong?
I tested the virtual box OVA earlier today and that worked fine.
I have setup my own ubuntu server on hyperv and installed graylog following the installation instructions, but can’t seem to get this final piece of puzzle.
did you check if you can see any messages when you search not only the last 5 minutes? (choose all in the drop down) maybe you ingest messages and Graylog is configured to be UTC, but the messages are from central time.
I created one input - SyslogUDP on port 5114
I can see messages/traffic hit the server. But nothing in search.
I eventually managed to get to the Graylog server log.
Saw this error > 2017-03-22T22:28:32.546Z ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=e1a23820-0f4e-11e7-ab24-00155d007505, journalOffset=86612, codec=syslog, payloadSize=142, timestamp=2017-03-22T22:28:32.546Z, remoteAddress=/10.x.x.x:45715} on input <58d2f49a70458204bb40ef3f>.
Now this is strange because when I used the OVA image with virtual box, Graylog handled the syslog messages fine, Without issue.
But when I setup my own server, it’s not processing the messages properly and giving the error above.
So to confuse matters more, I just setup the OVA again on virtual box and sent the syslog from the Meraki MX100 to the new Virtual box machine. It works fine.
Virtubox OVA running - Graylog v2.1.3+040d371
My hyperV setup running Graylog v2.2.2+691b4b7
Anything I’m missing? My elasticsearch works fine, as I can receive the messages in as raw, but get the above decoding process error if I set it to syslog.
I was using the older ova as it was the one for download when I started testing.
Am I right in assuming there is no fix for this issue? based on the other topic you linked to.
Seems I’m not the only one with the issue and something has been broken with the new version.
to be honest - the parser just is a little more strict following the RFC - so to count this as a bug depends on your point of view.
In the upcoming versions some adjustments had been made. But you are every time able to just create a “raw/Plaintext” Input and do the parsing with Extractors and/or Pipelines.
You are probably right, depends on how you look at it.
It seems to be affecting a number of Cisco/networking devices based on the other post that’s been link.
Seems a number of networking devices seem to be sending messages in the same way.
Hard to believe they are all sending syslog data in an incorrect format or are they complying with an older version of the standard?
Is there anyway to narrow down what the parser doesn’t like in regards to the syslog message coming from my Cisco Meraki device? From what I gathered it could just be an incorrect date format from an older standard?
I’d like to narrow this down to an actual issue or reason, maybe that way I could report it to meraki and see if they can do anything with it.
