cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Some syslog from Meraki is being truncated

Bryan_Tabb
Copper Contributor

‎May 24 2021 01:05 PM - edited ‎May 24 2021 01:06 PM

‎May 24 2021 01:05 PM - edited ‎May 24 2021 01:06 PM

Some syslog from Meraki is being truncated

Hi all

 

I'm hoping someone can point me in the right direction please.

 

For some unknown reason some meraki logs are loosing the first 6-7 fields.

 

If I take one sample of a conversation below is what is received by the syslog collector (cat /var/log/syslog) running the OMS agent (Debian 10 - 4.19.0-16-amd64)

 

May 25 00:41:47 wap-3 1621860107.412815461 WAP_3 flows allow src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443
May 25 00:41:47 rtr-1 1621860107.478281214 RTR_1 flows src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443 pattern: Group Policy Allow
May 25 00:41:47 rtr-1 1621860107.478306049 ip_flow_start src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187
May 25 00:49:37 rtr-1 1621860577.007734835 ip_flow_end src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187

 

However when I look in the log work space the entries that start "<device name> flows" are missing a bunch of data.  The syslog message seems to start part way through the MAC address

 

Bryan_Tabb_0-1621886513995.png

 

Troubleshooting:

* reinstalled OMS agent

* run the OMS troubleshooter ($ sudo /opt/microsoft/omsagent/bin/troubleshooter) which came back clean

* added max message size to fluentd config

 

This same syslog collector takes logs from a couple Sophos XG firewalls and there is no issue there, only meraki.

 

Any pointers on where to start would be appreciated.

 

Thanks!

 

2,471 Views
0 Likes
3 Replies
Reply
3 Replies
CliveWatson

‎May 25 2021 05:07 AM

‎May 25 2021 05:07 AM

Re: Some syslog from Meraki is being truncated

Are you using the parser?


These queries and workbooks are dependent on a parser based on a Kusto Function to work as expected. Follow the steps to use this Kusto functions alias CiscoMeraki in queries and workbooks. Follow these steps to get this Kusto functions.

https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoMeraki/CiscoMeraki.txt
0 Likes
Reply
Bryan_Tabb

‎May 25 2021 01:04 PM

‎May 25 2021 01:04 PM

Re: Some syslog from Meraki is being truncated

@CliveWatson 

 

Hi

 

I started of trying to use the parser but it wasn't matching as expected which prompted me to look at the underlying SyslogMessage.  This is where I noticed what was appearing was missing some of the proceeding data.

 

Is there a way to debug what the collector (oms agent) is sending up ?

 

thanks

 

B.

0 Likes
Reply
Bryan_Tabb

‎May 26 2021 02:16 PM

‎May 26 2021 02:16 PM

Re: Some syslog from Meraki is being truncated

Looks like this problem has come up before and there is a bit of a work around

https://techcommunity.microsoft.com/t5/azure-sentinel/sentinel-amp-cisco-meraki/m-p/1229983

1 Like
Reply