Forum Discussion

David Caddick's avatar
David Caddick
Iron Contributor
Mar 16, 2020

Sentinel & Cisco Meraki?

Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...
mperrotta's avatar
mperrotta
Brass Contributor
Sep 22, 2020

Hi, after working with the MS support team and their dev's, they determined that Meraki logs don't follow the RFC standard for syslog message. Basically, what is happening is at the first = in the syslog message, Sentinel dropping everything before it and the remainder of the message get captured.

 

The workaround for this was to have rsyslog write the Meraki logs to a file then we have Sentinel ingest the files into a custom log table. You will want to have log rotation setup to ensure that it does not grow infinitely. Here are the config notes I have. To have Sentinel pull the custom log, that is configured in Log Analytics under Advanced settings.

 

Let me know if you have any questions.

Configure Log Rotate

Create directory:

sudo mkdir /var/log/meraki

 

Assign permission on folder:

sudo chown syslog /var/log/meraki

 

Create log rotation configuration file:

 

vi /etc/logrotate.d/meraki

 

/var/log/meraki/meraki {

    rotate 3

    missingok

    create 0640 syslog adm

    notifempty

    compress

    size 100M

    delaycompress

    sharedscripts

    postrotate

            /usr/lib/rsyslog/rsyslog-rotate

    endscript

}

 

Configure rsyslog to send meraki logs to file:

vi /etc/rsyslog.conf

 

Add the following line at the bottom

if ($fromhost-ip=='172.16.15.254') then /var/log/meraki/meraki

Manresa's avatar
Manresa
Copper Contributor
Dec 02, 2020

mperrotta, you suggest using log rotation so the file doesn't grow indefinitely, but Log Analytics Custom Log from file doesn't support file rotation. Does your workaround work anyway? 

  • mperrotta's avatar
    mperrotta
    Brass Contributor
    Dec 03, 2020

    ManresaI am not sure the risk implication of this requirement. Maybe we end up missing some flow logs when the rotation occurs? 

     

    There are no obvious logs missing that we can see. We have been running this solution for several months now without any issues. This is the only way that I am aware of how to capture the full message from Meraki at this time.

     

    Unfortunately, we just consider this the least broken way of doing it. 

  • Manresa's avatar
    Manresa
    Copper Contributor
    Dec 02, 2020

    mhaasEFD, thanks for the quick response. I understand that, but Microsoft documentation in Collect custom logs with Log Analytics agent in Azure Monitor - Azure Monitor | Microsoft Docs says that:

    • The log file must not allow circular logging or log rotation, where the file is overwritten with new entries.

    If I understand correctly, this means that the log file in the syslog server can't be rotated, so Azure can accurately take the new entries from where it last read the file.

  • mhaasEFD's avatar
    mhaasEFD
    Copper Contributor
    Dec 02, 2020

    Manresa The log rotation is for the sending side, the linux rsyslog files that are in the middle. Not on the azure side.

Resources