Syslog from Meraki generates load and lot of graylog logs

mayer · March 30, 2018, 6:46pm

Dear All,

We are using graylog since quite a time very successfully. Currently we are running Version:
2.4.3+2c41897, codename Wildwuchs.

We are using Meraki access points too. Meraki respectively Cisco offers an excellent tool for monitoring, analyzing and statistics. But there is also a possibility to define a syslog server. So my colleague defined a new input for graylog with syslog UDP as done several times before. Meraki cloud is configured sending to this port and IP. Doing so in that moment graylog runs amoc. I have seen up to 2000 graylog entries per minute. Normally I have not a single one from graylog itself over hours. In the systems/input field I see that packets are coming but nothing in the search page. Stopping the input brings the graylog server back to normal behaviour.

I am quite sure this format from Meraki doesn’t fit the standards. But I am wondering why graylog doesn’t simple throw away a malformed packet.
Is there someone out there who configured Meraki and graylog successfully ?
Below some of these endless graylog messages.

Kind regards
Hans

2018-03-30 19:55:39.316	graylog-server
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
2018-03-30 19:55:39.315	graylog-server
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
2018-03-30 19:55:39.315	graylog-server
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
2018-03-30 19:55:39.314	graylog-server
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
2018-03-30 19:55:39.313	graylog-server
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) ~[graylog.jar:?]
2018-03-30 19:55:39.312	graylog-server
at org.graylog2.inputs.codecs.SyslogCodec.decode(SyslogCodec.java:96) ~[graylog.jar:?]

jochen · April 4, 2018, 9:15am

Please post the complete logs of your Graylog node.
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

mayer · April 4, 2018, 11:54am

Jochen, thanks for reply.
In the meantime I analysed with “tcpdump” that Meraki is sending the time stamp in epoch time with milli- and microseconds instead of human readable form. This seems to be the issue.
Therefore the question which of the log files you need is maybe obsolete.

// Hans

system · April 18, 2018, 11:56am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cisco Meraki cant sent Syslog to Graylog Open Graylog Central (peer support) cisco	5	988	August 30, 2023
Meraki Syslog UDP with OVA Graylog v3.0.1+de74b68 Graylog Central (peer support)	2	697	April 20, 2019
Cisco Meraki syslog Graylog Central (peer support)	3	1607	May 7, 2019
Unable to see the syslog in graylog 5.1 version Graylog Central (peer support)	8	317	November 7, 2023
Graylog Not Picking syslog from Cisco Meraki Graylog Central (peer support)	15	4548	September 27, 2018

Syslog from Meraki generates load and lot of graylog logs

Related Topics