Sep 24 2020
- last edited on
Dec 23 2021
I was having some issues with integrating Cisco Meraki for a customer. I did some google-fu and found an answer here. I now have an rsyslogd setup going to a unique meraki.log and that going into a custom table. We have about 3 other firewall types going into the "syslog" table, so I figured this may help keep things organised, anyway.
Using the SophosXGFirewall function as a template I started to make a new Function Table for Cisco Meraki. It's working for 99% of the things, except for some fields which are encased in single-ticks (apostrophe, ') -- these are all for the Wireless Access Point logs
// EXAMPLE LOGS // Sep 24 09:21:00 172.16.X.Y 1600935669.652242117 Firewall02 flows allow src=172.16.A.B dst=34.Q.R.S mac=XX:XX:XX:XX:XX:YY protocol=tcp sport=58553 dport=8383 // Sep 24 08:59:53 172.16.X.Y 1600934403.287827233 Firewall01 urls src=172.16.A.B:54234 dst=34.Q.R.S:8383 mac=XX:XX:XX:XX:XX:EE request: UNKNOWN https://WEBSITE-A // Sep 24 09:00:18 172.16.Z.Y 1600934428.299732488 Firewall02 events type=wpa_auth radio='1' vap='4' client_mac='YY:YY:YY:YY:YY:AA' client_ip='172.16.P.P' aid='1016793020' // Sep 24 09:44:08 172.16.X.Y 1600937057.757341105 Firewall02 urls src=172.16.Z.Y:54405 dst=34.Q.R.S:80 mac=AA:AA:AA:AA:AA:CC agent='SXL/3.1' request: GET http://WEBSITE-B Meraki_CL | extend Meraki_IP = extract(@'\S+\s+\d+\s+\S+\s+(\S+)', 1, RawData), Device_Name = extract(@'\S+\s+\d+\s+\S+\s+\S+\s+\S+\s+(\S+)', 1, RawData), Log_Type = extract(@'\S+\s+\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+(\S+)', 1, RawData), Action = extract(@'\S+\s+\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+flows\s+(\S+)', 1, RawData), Src_IP = extract(@'src=\"?([\w\.]+)\"?', 1, RawData), Client_IP = extract(@'client_ip=([\w\.]+)', 1, RawData), Client_MAC = extract(@'client_mac=([\w\:]+)', 1, RawData), Src_MAC = extract(@'mac=\"?([\w\:]+)\"?', 1, RawData), Dst_IP = extract(@'dst=\"?([\w\.]+)\"?', 1, RawData), Protocol = extract(@'protocol=\"?(\w+)\"?', 1, RawData), Src_Port = extract(@'sport=\"?(\d+)\"?', 1, RawData), Dst_Port = extract(@'dport=\"?(\d+)\"?', 1, RawData), Event_Type = extract(@'type=\"?(\S+)\"?', 1, RawData), User_Agent = extract(@'agent=(.*[^request])request', 1, RawData), URL = extract(@'request: \S+\s+(.*)',1, RawData)
OK, simple enough. The problem is the regex and something with the extract() function. Some of the items are encased in "\'" and not "\"" -- when I change the regex for Client_IP and Client_MAC to extract(@'client_mac=\'([w\:])\'', 1, RawData) it breaks completely. Is this a bug of some sort or is there some syntactical wizardry I'm missing?
Sep 25 2020 07:58 AM
So I did a quick fix to the regex to work around this, but I'm still worried that in the future I may need to anchor something off a single apostrophe, and I won't be able to:
Client_IP = extract(@'client_ip=\S([\w\.]+)\S', 1, RawData), Client_MAC = extract(@'client_mac=\S([\w\:]+)\S', 1, RawData),
Apr 26 2021 01:23 PM - edited Apr 26 2021 01:44 PM
I just reviewed this and have a need to review how to get Cisco Meraki implemented into Azure Sentinel. I do not have any logs from a Meraki device to run this against but wanted to confirm if you got this worked as a saved function for parsing?
In my research, there are others that said using SYSLOG-NG over RSYSLOG was a better option and wasn't sure if you have anything to mention about that?
Apr 27 2021 02:04 AM
Apr 27 2021 05:05 AM - edited Apr 27 2021 05:24 AM
I did not think so with rsyslog or syslog-ng and thank you for the update. From what I was able to see today, here are the options that are available when looking into logs:
CiscoMeraki -- does not display any logs