Forum Discussion

David Caddick's avatar
David Caddick
Iron Contributor
Mar 16, 2020

Sentinel & Cisco Meraki?

Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...
mperrotta's avatar
mperrotta
Copper Contributor
Mar 31, 2020
We are seeing the same symptom as well. We currently have a support case open to look into this. If we find the solution, I will update you.
Deleted's avatar
Deleted
Sep 18, 2020

mperrottawe're seeing the same problem, did you ever find a solution for this?

  • mperrotta's avatar
    mperrotta
    Copper Contributor
    Sep 22, 2020

    Hi, after working with the MS support team and their dev's, they determined that Meraki logs don't follow the RFC standard for syslog message. Basically, what is happening is at the first = in the syslog message, Sentinel dropping everything before it and the remainder of the message get captured.

     

    The workaround for this was to have rsyslog write the Meraki logs to a file then we have Sentinel ingest the files into a custom log table. You will want to have log rotation setup to ensure that it does not grow infinitely. Here are the config notes I have. To have Sentinel pull the custom log, that is configured in Log Analytics under Advanced settings.

     

    Let me know if you have any questions.

    Configure Log Rotate

    Create directory:

    sudo mkdir /var/log/meraki

     

    Assign permission on folder:

    sudo chown syslog /var/log/meraki

     

    Create log rotation configuration file:

     

    vi /etc/logrotate.d/meraki

     

    /var/log/meraki/meraki {

        rotate 3

        missingok

        create 0640 syslog adm

        notifempty

        compress

        size 100M

        delaycompress

        sharedscripts

        postrotate

                /usr/lib/rsyslog/rsyslog-rotate

        endscript

    }

     

    Configure rsyslog to send meraki logs to file:

    vi /etc/rsyslog.conf

     

    Add the following line at the bottom

    if ($fromhost-ip=='172.16.15.254') then /var/log/meraki/meraki

    • Manresa's avatar
      Manresa
      Copper Contributor
      Dec 02, 2020

      mperrotta, you suggest using log rotation so the file doesn't grow indefinitely, but Log Analytics Custom Log from file doesn't support file rotation. Does your workaround work anyway? 

      • mhaasEFD's avatar
        mhaasEFD
        Copper Contributor
        Dec 02, 2020

        Manresa The log rotation is for the sending side, the linux rsyslog files that are in the middle. Not on the azure side.

    • mhaasEFD's avatar
      mhaasEFD
      Copper Contributor
      Nov 20, 2020
      Going to give this a try. I have used Meraki equipment for a long time but have to say the amount of times i find their implementation doesn't use standards is frustrating. Their syslog is not compliant, their client vpn implementation is odd, etc.
      • JKatzmandu's avatar
        JKatzmandu
        Copper Contributor
        Nov 23, 2020

        mhaasEFD 

         

        I've done this Meraki recipe for two customers; it comes in via syslog, syslog puts it into its own file, it's read as a Custom Log by the Log Analytics Agent and is forwarded into Sentinel. Then within Sentinel we have a KQL function to extract the most common stuff. What's frustrating is that Cisco Meraki isn't always the most consistent with the log format.

         

        Here's my GitHub with the extractors, which I have no problem with anyone else using, and if you guys have fixes, I'm happy to incorporate them:


        https://github.com/jkatzmandu/sentinel_tricks

         

Resources