Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix Cisco Meraki filters #2369

Merged
merged 9 commits into from May 13, 2024
Merged

fix: fix Cisco Meraki filters #2369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2c34bf3
WIP: fixing netsource-cisco_meraki
mstopa-splunk Mar 13, 2024
b626297
WIP: remove incorrect parsers, fix netsource parser
mstopa-splunk Mar 13, 2024
41ce572
Update vps filter example
mstopa-splunk Mar 14, 2024
234873e
Fix app-netsource-cisco_meraki
mstopa-splunk Mar 14, 2024
1996cb0
Update vps filter example in SC4S lite
mstopa-splunk Mar 14, 2024
9d92975
Add app-netsource-cisco_meraki-splunk_hec
mstopa-splunk Mar 18, 2024
d1ed6aa
Remove Meraki json parser
mstopa-splunk Mar 28, 2024
74f3d3e
Update Meraki docs
mstopa-splunk Mar 28, 2024
b8d9b88
Update Meraki docs
mstopa-splunk Mar 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
111 changes: 71 additions & 40 deletions docs/sources/vendor/Cisco/cisco_meraki.md
View file
Open in desktop
@@ -1,65 +1,96 @@
## Meraki (MR, MS, MX)

## Key facts
* In most cases, Cisco Meraki logs are general and require vendor product by source configuration.
* For distinctive log messages, filters are based on the appliance name and program value.
* Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message.
* Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices.
* [Splunk Add-on for Cisco Meraki 2.1.0](https://splunkbase.splunk.com/app/5580) doesn't support syslog. Use [TA-meraki](https://splunkbase.splunk.com/app/3018) instead. `TA-meraki 1.1.5` requires sourcetype `meraki`.

## Distinctive log messages
See samples in the [vendor documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples).

The two conjuncted conditions are required:

1. Program: `(events|urls|firewall|cellular_firewall|vpn_firewall|ids-alerts|flows)`

2. Appliance name:

| Sourcetype | Distinct element |
| --------- | -------------- |
| meraki:accesspoints | `host('MR' type(string) flags(ignore-case,prefix))` |
| meraki:securityappliances | `host('MX' type(string) flags(ignore-case,prefix))` |
| meraki:switches | `host('MS' type(string) flags(ignore-case,prefix))` |


## Links

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | <https://splunkbase.splunk.com/app/5580> |
| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> <https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples> |
| Splunk Add-on | <https://splunkbase.splunk.com/app/3018> |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mstopa-splunk @rjha-splunk it's not Splunk supported add-on, not sure that we need to do it in general

| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> |

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| meraki:accesspoints | MR |
| meraki:securityappliances | MX |
| meraki:switches | MS |
| meraki | vendor product by source configuration |
| meraki:accesspoints | Not compliant with the Splunk Add-on |
| meraki:securityappliances | Not compliant with the Splunk Add-on |
| meraki:switches | Not compliant with the Splunk Add-on |
| meraki | For all Meraki devices. Compliant with the Splunk Add-on |

## Sourcetype and Index Configuration
## Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| cisco_meraki_accesspoints | meraki:accesspoints | netfw | Filtered on the message format |
| cisco_meraki_securityappliances | meraki:securityappliances | netfw | Filtered on the message format |
| cisco_meraki_switches | meraki:switches | netfw | Filtered on the message format |
| cisco_meraki | meraki | netfw | Filtered on vendor product by source configuration |
| meraki_accesspoints | meraki:accesspoints | netfw | |
| meraki_securityappliances | meraki:securityappliances | netfw | |
| meraki_switches | meraki:switches | netfw | |
| cisco_meraki | meraki | netfw | |

## Parser Configuration

## Parser Configuration
1. Either by defining Cisco Meraki hosts:
```c
#/opt/sc4s/local/config/app-parsers/app-vps-cisco_meraki.conf
#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf
#File name provided is a suggestion it must be globally unique

application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^testcm-")
block parser app-vps-test-cisco_meraki() {
channel {
if {
filter { host("^test-mx-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('securityappliances')
);
};
} elif {
filter { host("^test-mr-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('accesspoints')
);
};
} elif {
filter { host("^test-ms-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('switches')
);
};
} else {
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};
};
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};


application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^test-meraki-")
or host("^test-mx-")
or host("^test-mr-")
or host("^test-ms-")
};
parser { app-vps-test-cisco_meraki(); };
};
```

2. Or by a unique port:
```
# /opt/sc4s/env_file
SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004
SC4S_LISTEN_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005
SC4S_LISTEN_MERAKI_ACCESSPOINTS_UDP_PORT=5006
SC4S_LISTEN_MERAKI_SWITCHES_UDP_PORT=5007
```
28 changes: 0 additions & 28 deletions package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf
View file
Open in desktop

This file was deleted.

105 changes: 81 additions & 24 deletions package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf
View file
Open in desktop
@@ -1,31 +1,88 @@
block parser app-netsource-cisco_meraki() {
channel {
rewrite {
r_set_splunk_dest_default(
index('netfw')
sourcetype('meraki')
vendor('cisco')
product('meraki')
);
block filter f_cisco_meraki(vendor() product()) {
(
match(`vendor`, value('.netsource.sc4s_vendor'), type(string))
and match(`product`, value('.netsource.sc4s_product'), type(string))
)
or (tags('ns_vendor:`vendor`') and tags('ns_product:`product`'))
or tags('`vendor`_`product`')
or "${.netsource.sc4s_vendor_product}" eq '`vendor`_`product`'
};

block parser app-netsource-cisco_meraki() {
channel {
if {
filter {
f_cisco_meraki(
vendor('cisco')
product('meraki')
);
};
rewrite {
r_set_splunk_dest_default(
index('netfw')
sourcetype('meraki')
vendor('cisco')
product('meraki')
);
};
} elif {
filter {
f_cisco_meraki(
vendor('meraki')
product('securityappliances')
);
};
rewrite {
r_set_splunk_dest_default(
index('netfw')
sourcetype('meraki:securityappliances')
vendor('meraki')
product('securityappliances')
);
};
} elif {
filter {
f_cisco_meraki(
vendor('meraki')
product('accesspoints')
);
};
rewrite {
r_set_splunk_dest_default(
index('netfw')
sourcetype('meraki:accesspoints')
vendor('meraki')
product('accesspoints')
);
};
} elif {
filter {
f_cisco_meraki(
vendor('meraki')
product('switches')
);
};
rewrite {
r_set_splunk_dest_default(
index('netfw')
sourcetype('meraki:switches')
vendor('meraki')
product('switches')
);
};
};


};
};
};

application app-netsource-cisco_meraki[sc4s-network-source] {
filter {
not filter(f_is_source_identified)
and (
(
match("cisco", value('.netsource.sc4s_vendor'), type(string))
and match("meraki", value('.netsource.sc4s_product'), type(string))
)
or (tags("ns_vendor:cisco") and tags("ns_product:meraki"))
or tags(".source.s_CISCO_MERAKI")
or "${.netsource.sc4s_vendor_product}" eq "cisco_meraki"
)
;
};
parser { app-netsource-cisco_meraki(); };
};
f_cisco_meraki(vendor('cisco') product('meraki'))
or f_cisco_meraki(vendor('meraki') product('securityappliances'))
or f_cisco_meraki(vendor('meraki') product('accesspoints'))
or f_cisco_meraki(vendor('meraki') product('switches'))
)
};
parser { app-netsource-cisco_meraki(); };
};
45 changes: 0 additions & 45 deletions package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf
View file
Open in desktop

This file was deleted.

55 changes: 47 additions & 8 deletions package/etc/test_parsers/app-vps-test-cisco_meraki.conf
View file
Open in desktop
@@ -1,11 +1,50 @@
#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf
#File name provided is a suggestion it must be globally unique

block parser app-vps-test-cisco_meraki() {
channel {
if {
filter { host("^test-mx-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('securityappliances')
);
};
} elif {
filter { host("^test-mr-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('accesspoints')
);
};
} elif {
filter { host("^test-ms-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('switches')
);
};
} else {
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};
};
};


application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^testcm-")
};
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
filter {
host("^test-meraki-")
or host("^test-mx-")
or host("^test-mr-")
or host("^test-ms-")
};
parser { app-vps-test-cisco_meraki(); };
};