Some syslog from Meraki is being truncated

%3CLINGO-SUB%20id%3D%22lingo-sub-2381899%22%20slang%3D%22en-US%22%3ESome%20syslog%20from%20Meraki%20is%20being%20truncated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2381899%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20hoping%20someone%20can%20point%20me%20in%20the%20right%20direction%20please.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20some%20unknown%20reason%20some%20meraki%20logs%20are%20loosing%20the%20first%206-7%20fields.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20take%20one%20sample%20of%20a%20conversation%20below%20is%20what%20is%20received%20by%20the%20syslog%20collector%20(cat%20%2Fvar%2Flog%2Fsyslog)%20running%20the%20OMS%20agent%20(Debian%2010%20-%26nbsp%3B4.19.0-16-amd64)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%2025%2000%3A41%3A47%20wap-3%201621860107.412815461%20WAP_3%20flows%20allow%20src%3D10.32.10.29%20dst%3D3.218.X.X%20mac%3D00%3A21%3A5C%3ACA%3A68%3A6D%20protocol%3Dtcp%20sport%3D61187%20dport%3D443%3CBR%20%2F%3EMay%2025%2000%3A41%3A47%20rtr-1%201621860107.478281214%20RTR_1%20flows%20src%3D10.32.10.29%20dst%3D3.218.X.X%20mac%3D00%3A21%3A5C%3ACA%3A68%3A6D%20protocol%3Dtcp%20sport%3D61187%20dport%3D443%20pattern%3A%20Group%20Policy%20Allow%3CBR%20%2F%3EMay%2025%2000%3A41%3A47%20rtr-1%201621860107.478306049%20ip_flow_start%20src%3D10.32.10.29%20dst%3D3.218.X.X%20protocol%3Dtcp%20sport%3D61187%20dport%3D443%20translated_src_ip%3D%3CREMOVED%3E%20translated_port%3D61187%3CBR%20%2F%3EMay%2025%2000%3A49%3A37%20rtr-1%201621860577.007734835%20ip_flow_end%20src%3D10.32.10.29%20dst%3D3.218.X.X%20protocol%3Dtcp%20sport%3D61187%20dport%3D443%20translated_src_ip%3D%3CREMOVED%3E%20translated_port%3D61187%3C%2FREMOVED%3E%3C%2FREMOVED%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20when%20I%20look%20in%20the%20log%20work%20space%20the%20entries%20that%20start%20%22%3CDEVICE%20name%3D%22%22%3E%20flows%22%20are%20missing%20a%20bunch%20of%20data.%26nbsp%3B%20The%20syslog%20message%20seems%20to%20start%20part%20way%20through%20the%20MAC%20address%3C%2FDEVICE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bryan_Tabb_0-1621886513995.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F283219iA6CC392037CF8285%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Bryan_Tabb_0-1621886513995.png%22%20alt%3D%22Bryan_Tabb_0-1621886513995.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETroubleshooting%3A%3C%2FP%3E%3CP%3E*%20reinstalled%20OMS%20agent%3C%2FP%3E%3CP%3E*%20run%20the%20OMS%20troubleshooter%20(%24%20sudo%20%2Fopt%2Fmicrosoft%2Fomsagent%2Fbin%2Ftroubleshooter)%20which%20came%20back%20clean%3C%2FP%3E%3CP%3E*%20added%20max%20message%20size%20to%20fluentd%20config%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20same%20syslog%20collector%20takes%20logs%20from%20a%20couple%20Sophos%20XG%20firewalls%20and%20there%20is%20no%20issue%20there%2C%20only%20meraki.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20pointers%20on%20where%20to%20start%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2383332%22%20slang%3D%22en-US%22%3ERe%3A%20Some%20syslog%20from%20Meraki%20is%20being%20truncated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2383332%22%20slang%3D%22en-US%22%3EAre%20you%20using%20the%20parser%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThese%20queries%20and%20workbooks%20are%20dependent%20on%20a%20parser%20based%20on%20a%20Kusto%20Function%20to%20work%20as%20expected.%20Follow%20the%20steps%20to%20use%20this%20Kusto%20functions%20alias%20CiscoMeraki%20in%20queries%20and%20workbooks.%20Follow%20these%20steps%20to%20get%20this%20Kusto%20functions.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FCiscoMeraki%2FCiscoMeraki.txt%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FCiscoMeraki%2FCiscoMeraki.txt%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2385156%22%20slang%3D%22en-US%22%3ERe%3A%20Some%20syslog%20from%20Meraki%20is%20being%20truncated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2385156%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20started%20of%20trying%20to%20use%20the%20parser%20but%20it%20wasn't%20matching%20as%20expected%20which%20prompted%20me%20to%20look%20at%20the%20underlying%20SyslogMessage.%26nbsp%3B%20This%20is%20where%20I%20noticed%20what%20was%20appearing%20was%20missing%20some%20of%20the%20proceeding%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20debug%20what%20the%20collector%20(oms%20agent)%20is%20sending%20up%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EB.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all

 

I'm hoping someone can point me in the right direction please.

 

For some unknown reason some meraki logs are loosing the first 6-7 fields.

 

If I take one sample of a conversation below is what is received by the syslog collector (cat /var/log/syslog) running the OMS agent (Debian 10 - 4.19.0-16-amd64)

 

May 25 00:41:47 wap-3 1621860107.412815461 WAP_3 flows allow src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443
May 25 00:41:47 rtr-1 1621860107.478281214 RTR_1 flows src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443 pattern: Group Policy Allow
May 25 00:41:47 rtr-1 1621860107.478306049 ip_flow_start src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187
May 25 00:49:37 rtr-1 1621860577.007734835 ip_flow_end src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187

 

However when I look in the log work space the entries that start "<device name> flows" are missing a bunch of data.  The syslog message seems to start part way through the MAC address

 

Bryan_Tabb_0-1621886513995.png

 

Troubleshooting:

* reinstalled OMS agent

* run the OMS troubleshooter ($ sudo /opt/microsoft/omsagent/bin/troubleshooter) which came back clean

* added max message size to fluentd config

 

This same syslog collector takes logs from a couple Sophos XG firewalls and there is no issue there, only meraki.

 

Any pointers on where to start would be appreciated.

 

Thanks!

 

3 Replies
Are you using the parser?


These queries and workbooks are dependent on a parser based on a Kusto Function to work as expected. Follow the steps to use this Kusto functions alias CiscoMeraki in queries and workbooks. Follow these steps to get this Kusto functions.

https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoMeraki/CiscoMeraki.txt

@Clive Watson 

 

Hi

 

I started of trying to use the parser but it wasn't matching as expected which prompted me to look at the underlying SyslogMessage.  This is where I noticed what was appearing was missing some of the proceeding data.

 

Is there a way to debug what the collector (oms agent) is sending up ?

 

thanks

 

B.

Looks like this problem has come up before and there is a bit of a work around

https://techcommunity.microsoft.com/t5/azure-sentinel/sentinel-amp-cisco-meraki/m-p/1229983