Forum Discussion

JKatzmandu's avatar
JKatzmandu
Brass Contributor
Sep 24, 2020

Field Extraction for Cisco Meraki

Hi everyone!

 

I was having some issues with integrating Cisco Meraki for a customer. I did some google-fu and found an answer here. I now have an rsyslogd setup going to a unique meraki.log and that going into a custom table. We have about 3 other firewall types going into the "syslog" table, so I figured this may help keep things organised, anyway.

 

Using the SophosXGFirewall function as a template I started to make a new Function Table for Cisco Meraki. It's working for 99% of the things, except for some fields which are encased in single-ticks (apostrophe, ') -- these are all for the Wireless Access Point logs

 

 

// EXAMPLE LOGS
// Sep 24 09:21:00 172.16.X.Y  1600935669.652242117 Firewall02 flows allow src=172.16.A.B dst=34.Q.R.S mac=XX:XX:XX:XX:XX:YY protocol=tcp sport=58553 dport=8383
// Sep 24 08:59:53 172.16.X.Y  1600934403.287827233 Firewall01 urls src=172.16.A.B:54234 dst=34.Q.R.S:8383 mac=XX:XX:XX:XX:XX:EE request: UNKNOWN https://WEBSITE-A
// Sep 24 09:00:18 172.16.Z.Y  1600934428.299732488 Firewall02 events type=wpa_auth radio='1' vap='4' client_mac='YY:YY:YY:YY:YY:AA' client_ip='172.16.P.P' aid='1016793020'
// Sep 24 09:44:08 172.16.X.Y  1600937057.757341105 Firewall02 urls src=172.16.Z.Y:54405 dst=34.Q.R.S:80 mac=AA:AA:AA:AA:AA:CC agent='SXL/3.1' request: GET http://WEBSITE-B
Meraki_CL
| extend Meraki_IP = extract(@'\S+\s+\d+\s+\S+\s+(\S+)', 1, RawData),
Device_Name = extract(@'\S+\s+\d+\s+\S+\s+\S+\s+\S+\s+(\S+)', 1, RawData),
Log_Type = extract(@'\S+\s+\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+(\S+)', 1, RawData),
Action = extract(@'\S+\s+\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+flows\s+(\S+)', 1, RawData),
Src_IP = extract(@'src=\"?([\w\.]+)\"?', 1, RawData),
Client_IP = extract(@'client_ip=([\w\.]+)', 1, RawData),
Client_MAC = extract(@'client_mac=([\w\:]+)', 1, RawData),
Src_MAC = extract(@'mac=\"?([\w\:]+)\"?', 1, RawData),
Dst_IP = extract(@'dst=\"?([\w\.]+)\"?', 1, RawData),
Protocol = extract(@'protocol=\"?(\w+)\"?', 1, RawData),
Src_Port = extract(@'sport=\"?(\d+)\"?', 1, RawData),
Dst_Port = extract(@'dport=\"?(\d+)\"?', 1, RawData),
Event_Type = extract(@'type=\"?(\S+)\"?', 1, RawData),
User_Agent = extract(@'agent=(.*[^request])request', 1, RawData),
URL = extract(@'request: \S+\s+(.*)',1, RawData)

 

 

OK, simple enough. The problem is the regex and something with the extract() function. Some of the items are encased in "\'" and not "\""  -- when I change the regex for Client_IP and Client_MAC to extract(@'client_mac=\'([w\:])\'', 1, RawData) it breaks completely. Is this a bug of some sort or is there some syntactical wizardry I'm missing?

 

Thanks!

 

  • JKatzmandu's avatar
    JKatzmandu
    Brass Contributor

    So I did a quick fix to the regex to work around this, but I'm still worried that in the future I may need to anchor something off a single apostrophe, and I won't be able to:

     

    Client_IP = extract(@'client_ip=\S([\w\.]+)\S', 1, RawData),
    Client_MAC = extract(@'client_mac=\S([\w\:]+)\S', 1, RawData),
    • Bob_Toler's avatar
      Bob_Toler
      Copper Contributor

      I just reviewed this and have a need to review how to get Cisco Meraki implemented into Azure Sentinel. I do not have any logs from a Meraki device to run this against but wanted to confirm if you got this worked as a saved function for parsing?

      In my research, there are others that said using SYSLOG-NG over RSYSLOG was a better option and wasn't sure if you have anything to mention about that?

      Thank you

      • JKatzmandu's avatar
        JKatzmandu
        Brass Contributor
        I have no preference between rsyslog vs syslogng. All the customers I've worked with recently have had Linux distributions where rsyslog was the default so we went along with that.

        As far as a saved function goes, this is what I used for 2 or 3 different customers after writing it for the first customer. Note that since I originally did this work there seems to be more work completed by the MSFT team for Meraki (at least in terms of workbooks.) There may be work on this which is more recent.

Resources