Mar 15 2020 09:00 PM
Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel?
Just checking for any gotcha's...
Mar 16 2020 04:41 AM
@David Caddick I had to do it for a customer and it worked just fine using the Syslog server.
Mar 16 2020 05:49 AM
@Gary Bushey Agreed.
The instructions here (https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3...) work pretty well. Search that page for 'Meraki'
Mar 16 2020 06:56 PM
Mar 27 2020 06:44 AM
Hi @Gary Bushey
can you please confirm the sentinel table in which you are getting Meraki events. It is like custom log or coming under syslog ?
Mar 30 2020 09:51 PM
Hi @mperrotta
Thanks for your reply. I did the same and event getting under syslog are not complete, they are truncating the events(by : in Rawdata).
Refer below details
Actual logs 1:
Mar 27 14:00:38 1.1.1.1 987654321.123456789 MerakiXXYY urls src=yy.yy.yy.yy:40206 dst=xxx.xxx.x.xx:443 mac=AA:AA:AA:BB:BB:BB request: UNKNOWN https://aaa.vbvbvb.com/...
SyslogMessage 1:
40206 dst=xxx.xxx.x.xx:443 mac=AA:AA:AA:BB:BB:BB request: UNKNOWN https://aaa.vbvbvb.com/...
Actual logs 2:
Mar 27 14:00:56 1.1.1.1 987654321.123456789 MerakiYYXX flows allow src=yy.yy.yy.yy dst=xxx.xxx.x.xx mac=FF:FF:FF:FF:FF:FF protocol=udp sport=60000 dport=1234
SyslogMessage 2:
FF:FF:FF:FF:FF protocol=udp sport=60000 dport=1234
have you observed same issue if not can you please help the method you followed.
Thanks in advance
Mar 31 2020 05:30 AM
Sep 18 2020 10:47 AM
@mperrottawe're seeing the same problem, did you ever find a solution for this?
Sep 22 2020 11:29 AM
Hi, after working with the MS support team and their dev's, they determined that Meraki logs don't follow the RFC standard for syslog message. Basically, what is happening is at the first = in the syslog message, Sentinel dropping everything before it and the remainder of the message get captured.
The workaround for this was to have rsyslog write the Meraki logs to a file then we have Sentinel ingest the files into a custom log table. You will want to have log rotation setup to ensure that it does not grow infinitely. Here are the config notes I have. To have Sentinel pull the custom log, that is configured in Log Analytics under Advanced settings.
Let me know if you have any questions.
sudo mkdir /var/log/meraki
sudo chown syslog /var/log/meraki
vi /etc/logrotate.d/meraki
/var/log/meraki/meraki {
rotate 3
missingok
create 0640 syslog adm
notifempty
compress
size 100M
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
vi /etc/rsyslog.conf
if ($fromhost-ip=='172.16.15.254') then /var/log/meraki/meraki
Nov 20 2020 04:24 AM
Nov 23 2020 08:09 AM
I've done this Meraki recipe for two customers; it comes in via syslog, syslog puts it into its own file, it's read as a Custom Log by the Log Analytics Agent and is forwarded into Sentinel. Then within Sentinel we have a KQL function to extract the most common stuff. What's frustrating is that Cisco Meraki isn't always the most consistent with the log format.
Here's my GitHub with the extractors, which I have no problem with anyone else using, and if you guys have fixes, I'm happy to incorporate them:
https://github.com/jkatzmandu/sentinel_tricks
Nov 23 2020 09:30 AM
Dec 02 2020 07:17 AM
@mperrotta, you suggest using log rotation so the file doesn't grow indefinitely, but Log Analytics Custom Log from file doesn't support file rotation. Does your workaround work anyway?
Dec 02 2020 07:22 AM
@Manresa The log rotation is for the sending side, the linux rsyslog files that are in the middle. Not on the azure side.
Dec 02 2020 07:46 AM
@mhaasEFD, thanks for the quick response. I understand that, but Microsoft documentation in Collect custom logs with Log Analytics agent in Azure Monitor - Azure Monitor | Microsoft Docs says that:
If I understand correctly, this means that the log file in the syslog server can't be rotated, so Azure can accurately take the new entries from where it last read the file.
Dec 03 2020 08:05 AM
@ManresaI am not sure the risk implication of this requirement. Maybe we end up missing some flow logs when the rotation occurs?
There are no obvious logs missing that we can see. We have been running this solution for several months now without any issues. This is the only way that I am aware of how to capture the full message from Meraki at this time.
Unfortunately, we just consider this the least broken way of doing it.
Dec 04 2020 04:23 PM
Jan 08 2021 04:30 AM
I use it when we query; so instead of "Cisco_Meraki_CL" as the "table" in my search, it's this function...
Jun 10 2021 02:49 PM
@JKatzmandu good thread, the solution worked well to get the data separated. The only issue here is Sentinel has 0 analytics for Meraki, none of their scheduled/ML/Anomaly analytics will every query that table so I am going to work on getting the data into CommonSecurityLog in hopes it might catch something.