User Profile
Bryan_Tabb
Copper Contributor
Joined Sep 11, 2019
User Widgets
Recent Discussions
Re: Some syslog from Meraki is being truncated
CliveWatson Hi I started of trying to use the parser but it wasn't matching as expected which prompted me to look at the underlying SyslogMessage. This is where I noticed what was appearing was missing some of the proceeding data. Is there a way to debug what the collector (oms agent) is sending up ? thanks B.Some syslog from Meraki is being truncated
Hi all I'm hoping someone can point me in the right direction please. For some unknown reason some meraki logs are loosing the first 6-7 fields. If I take one sample of a conversation below is what is received by the syslog collector (cat /var/log/syslog) running the OMS agent (Debian 10 - 4.19.0-16-amd64) May 25 00:41:47 wap-3 1621860107.412815461 WAP_3 flows allow src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443 May 25 00:41:47 rtr-1 1621860107.478281214 RTR_1 flows src=10.32.10.29 dst=3.218.X.X mac=00:21:5C:CA:68:6D protocol=tcp sport=61187 dport=443 pattern: Group Policy Allow May 25 00:41:47 rtr-1 1621860107.478306049 ip_flow_start src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187 May 25 00:49:37 rtr-1 1621860577.007734835 ip_flow_end src=10.32.10.29 dst=3.218.X.X protocol=tcp sport=61187 dport=443 translated_src_ip=<removed> translated_port=61187 However when I look in the log work space the entries that start "<device name> flows" are missing a bunch of data. The syslog message seems to start part way through the MAC address Troubleshooting: * reinstalled OMS agent * run the OMS troubleshooter ($ sudo /opt/microsoft/omsagent/bin/troubleshooter) which came back clean * added max message size to fluentd config This same syslog collector takes logs from a couple Sophos XG firewalls and there is no issue there, only meraki. Any pointers on where to start would be appreciated. Thanks!
