Syslog from Meraki generates load and lot of graylog logs


(Hans Mayer) #1

Dear All,

We are using graylog since quite a time very successfully. Currently we are running Version:
2.4.3+2c41897, codename Wildwuchs.

We are using Meraki access points too. Meraki respectively Cisco offers an excellent tool for monitoring, analyzing and statistics. But there is also a possibility to define a syslog server. So my colleague defined a new input for graylog with syslog UDP as done several times before. Meraki cloud is configured sending to this port and IP. Doing so in that moment graylog runs amoc. I have seen up to 2000 graylog entries per minute. Normally I have not a single one from graylog itself over hours. In the systems/input field I see that packets are coming but nothing in the search page. Stopping the input brings the graylog server back to normal behaviour.

I am quite sure this format from Meraki doesn’t fit the standards. But I am wondering why graylog doesn’t simple throw away a malformed packet.
Is there someone out there who configured Meraki and graylog successfully ?
Below some of these endless graylog messages.

Kind regards
Hans

2018-03-30 19:55:39.316	graylog-server
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
2018-03-30 19:55:39.315	graylog-server
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
2018-03-30 19:55:39.315	graylog-server
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
2018-03-30 19:55:39.314	graylog-server
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
2018-03-30 19:55:39.313	graylog-server
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) ~[graylog.jar:?]
2018-03-30 19:55:39.312	graylog-server
at org.graylog2.inputs.codecs.SyslogCodec.decode(SyslogCodec.java:96) ~[graylog.jar:?]

(Jochen) #2

Please post the complete logs of your Graylog node.
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


(Hans Mayer) #3

Jochen, thanks for reply.
In the meantime I analysed with “tcpdump” that Meraki is sending the time stamp in epoch time with milli- and microseconds instead of human readable form. This seems to be the issue.
Therefore the question which of the log files you need is maybe obsolete.

// Hans


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.