Forum Discussion
Field Extraction for Cisco Meraki
So I did a quick fix to the regex to work around this, but I'm still worried that in the future I may need to anchor something off a single apostrophe, and I won't be able to:
Client_IP = extract(@'client_ip=\S([\w\.]+)\S', 1, RawData),
Client_MAC = extract(@'client_mac=\S([\w\:]+)\S', 1, RawData),
I just reviewed this and have a need to review how to get Cisco Meraki implemented into Azure Sentinel. I do not have any logs from a Meraki device to run this against but wanted to confirm if you got this worked as a saved function for parsing?
In my research, there are others that said using SYSLOG-NG over RSYSLOG was a better option and wasn't sure if you have anything to mention about that?
Thank you
- I have no preference between rsyslog vs syslogng. All the customers I've worked with recently have had Linux distributions where rsyslog was the default so we went along with that.
As far as a saved function goes, this is what I used for 2 or 3 different customers after writing it for the first customer. Note that since I originally did this work there seems to be more work completed by the MSFT team for Meraki (at least in terms of workbooks.) There may be work on this which is more recent.I did not think so with rsyslog or syslog-ng and thank you for the update. From what I was able to see today, here are the options that are available when looking into logs:
CiscoMeraki -- does not display any logs
CiscoMerakiFIW -- does display logsSo it would appear you are correct that MSFT team has made some changes with regards to this data connector, which is still in preview.When I tried your query about, it did not accept RawData. I do appreciate that you found a way to do this before the changes did get made.
Thank you