May 24 2021 01:05 PM - edited May 24 2021 01:06 PM
Hi all
I'm hoping someone can point me in the right direction please.
For some unknown reason some meraki logs are loosing the first 6-7 fields.
If I take one sample of a conversation below is what is received by the syslog collector (cat /var/log/syslog) running the OMS agent (Debian 10 - 4.19.0-16-amd64)
May 25 00:41:47 wap-3 1621860107.412815461 WAP_3 flows allow src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443
May 25 00:41:47 rtr-1 1621860107.478281214 RTR_1 flows src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443 pattern: Group Policy Allow
May 25 00:41:47 rtr-1 1621860107.478306049 ip_flow_start src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187
May 25 00:49:37 rtr-1 1621860577.007734835 ip_flow_end src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187
However when I look in the log work space the entries that start "<device name> flows" are missing a bunch of data. The syslog message seems to start part way through the MAC address
Troubleshooting:
* reinstalled OMS agent
* run the OMS troubleshooter ($ sudo /opt/microsoft/omsagent/bin/troubleshooter) which came back clean
* added max message size to fluentd config
This same syslog collector takes logs from a couple Sophos XG firewalls and there is no issue there, only meraki.
Any pointers on where to start would be appreciated.
Thanks!
May 25 2021 05:07 AM
May 25 2021 01:04 PM
Hi
I started of trying to use the parser but it wasn't matching as expected which prompted me to look at the underlying SyslogMessage. This is where I noticed what was appearing was missing some of the proceeding data.
Is there a way to debug what the collector (oms agent) is sending up ?
thanks
B.
May 26 2021 02:16 PM