New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fix Cisco Meraki filters #2369
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
2c34bf3
WIP: fixing netsource-cisco_meraki
mstopa-splunk b626297
WIP: remove incorrect parsers, fix netsource parser
mstopa-splunk 41ce572
Update vps filter example
mstopa-splunk 234873e
Fix app-netsource-cisco_meraki
mstopa-splunk 1996cb0
Update vps filter example in SC4S lite
mstopa-splunk 9d92975
Add app-netsource-cisco_meraki-splunk_hec
mstopa-splunk d1ed6aa
Remove Meraki json parser
mstopa-splunk 74f3d3e
Update Meraki docs
mstopa-splunk b8d9b88
Update Meraki docs
mstopa-splunk File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,65 +1,96 @@ | ||
## Meraki (MR, MS, MX) | ||
|
||
## Key facts | ||
* In most cases, Cisco Meraki logs are general and require vendor product by source configuration. | ||
* For distinctive log messages, filters are based on the appliance name and program value. | ||
* Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message. | ||
* Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices. | ||
* [Splunk Add-on for Cisco Meraki 2.1.0](https://splunkbase.splunk.com/app/5580) doesn't support syslog. Use [TA-meraki](https://splunkbase.splunk.com/app/3018) instead. `TA-meraki 1.1.5` requires sourcetype `meraki`. | ||
|
||
## Distinctive log messages | ||
See samples in the [vendor documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples). | ||
|
||
The two conjuncted conditions are required: | ||
|
||
1. Program: `(events|urls|firewall|cellular_firewall|vpn_firewall|ids-alerts|flows)` | ||
|
||
2. Appliance name: | ||
|
||
| Sourcetype | Distinct element | | ||
| --------- | -------------- | | ||
| meraki:accesspoints | `host('MR' type(string) flags(ignore-case,prefix))` | | ||
| meraki:securityappliances | `host('MX' type(string) flags(ignore-case,prefix))` | | ||
| meraki:switches | `host('MS' type(string) flags(ignore-case,prefix))` | | ||
|
||
|
||
## Links | ||
|
||
| Ref | Link | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| Splunk Add-on | <https://splunkbase.splunk.com/app/5580> | | ||
| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> <https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples> | | ||
| Splunk Add-on | <https://splunkbase.splunk.com/app/3018> | | ||
| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> | | ||
|
||
## Sourcetypes | ||
|
||
| sourcetype | notes | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| meraki:accesspoints | MR | | ||
| meraki:securityappliances | MX | | ||
| meraki:switches | MS | | ||
| meraki | vendor product by source configuration | | ||
| meraki:accesspoints | Not compliant with the Splunk Add-on | | ||
| meraki:securityappliances | Not compliant with the Splunk Add-on | | ||
| meraki:switches | Not compliant with the Splunk Add-on | | ||
| meraki | For all Meraki devices. Compliant with the Splunk Add-on | | ||
|
||
## Sourcetype and Index Configuration | ||
## Index Configuration | ||
|
||
| key | sourcetype | index | notes | | ||
|----------------|----------------|----------------|----------------| | ||
| cisco_meraki_accesspoints | meraki:accesspoints | netfw | Filtered on the message format | | ||
| cisco_meraki_securityappliances | meraki:securityappliances | netfw | Filtered on the message format | | ||
| cisco_meraki_switches | meraki:switches | netfw | Filtered on the message format | | ||
| cisco_meraki | meraki | netfw | Filtered on vendor product by source configuration | | ||
| meraki_accesspoints | meraki:accesspoints | netfw | | | ||
| meraki_securityappliances | meraki:securityappliances | netfw | | | ||
| meraki_switches | meraki:switches | netfw | | | ||
| cisco_meraki | meraki | netfw | | | ||
|
||
## Parser Configuration | ||
|
||
## Parser Configuration | ||
1. Either by defining Cisco Meraki hosts: | ||
```c | ||
#/opt/sc4s/local/config/app-parsers/app-vps-cisco_meraki.conf | ||
#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf | ||
#File name provided is a suggestion it must be globally unique | ||
|
||
application app-vps-test-cisco_meraki[sc4s-vps] { | ||
filter { | ||
host("^testcm-") | ||
block parser app-vps-test-cisco_meraki() { | ||
channel { | ||
if { | ||
filter { host("^test-mx-") }; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('meraki') | ||
product('securityappliances') | ||
); | ||
}; | ||
} elif { | ||
filter { host("^test-mr-") }; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('meraki') | ||
product('accesspoints') | ||
); | ||
}; | ||
} elif { | ||
filter { host("^test-ms-") }; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('meraki') | ||
product('switches') | ||
); | ||
}; | ||
} else { | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('cisco') | ||
product('meraki') | ||
); | ||
}; | ||
}; | ||
}; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('cisco') | ||
product('meraki') | ||
); | ||
}; | ||
}; | ||
|
||
|
||
application app-vps-test-cisco_meraki[sc4s-vps] { | ||
filter { | ||
host("^test-meraki-") | ||
or host("^test-mx-") | ||
or host("^test-mr-") | ||
or host("^test-ms-") | ||
}; | ||
parser { app-vps-test-cisco_meraki(); }; | ||
}; | ||
``` | ||
|
||
2. Or by a unique port: | ||
``` | ||
# /opt/sc4s/env_file | ||
SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004 | ||
SC4S_LISTEN_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005 | ||
SC4S_LISTEN_MERAKI_ACCESSPOINTS_UDP_PORT=5006 | ||
SC4S_LISTEN_MERAKI_SWITCHES_UDP_PORT=5007 | ||
``` |
28 changes: 0 additions & 28 deletions
28
package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf
This file was deleted.
Oops, something went wrong.
105 changes: 81 additions & 24 deletions
105
package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,31 +1,88 @@ | ||
block parser app-netsource-cisco_meraki() { | ||
channel { | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netfw') | ||
sourcetype('meraki') | ||
vendor('cisco') | ||
product('meraki') | ||
); | ||
block filter f_cisco_meraki(vendor() product()) { | ||
( | ||
match(`vendor`, value('.netsource.sc4s_vendor'), type(string)) | ||
and match(`product`, value('.netsource.sc4s_product'), type(string)) | ||
) | ||
or (tags('ns_vendor:`vendor`') and tags('ns_product:`product`')) | ||
or tags('`vendor`_`product`') | ||
or "${.netsource.sc4s_vendor_product}" eq '`vendor`_`product`' | ||
}; | ||
|
||
block parser app-netsource-cisco_meraki() { | ||
channel { | ||
if { | ||
filter { | ||
f_cisco_meraki( | ||
vendor('cisco') | ||
product('meraki') | ||
); | ||
}; | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netfw') | ||
sourcetype('meraki') | ||
vendor('cisco') | ||
product('meraki') | ||
); | ||
}; | ||
} elif { | ||
filter { | ||
f_cisco_meraki( | ||
vendor('meraki') | ||
product('securityappliances') | ||
); | ||
}; | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netfw') | ||
sourcetype('meraki:securityappliances') | ||
vendor('meraki') | ||
product('securityappliances') | ||
); | ||
}; | ||
} elif { | ||
filter { | ||
f_cisco_meraki( | ||
vendor('meraki') | ||
product('accesspoints') | ||
); | ||
}; | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netfw') | ||
sourcetype('meraki:accesspoints') | ||
vendor('meraki') | ||
product('accesspoints') | ||
); | ||
}; | ||
} elif { | ||
filter { | ||
f_cisco_meraki( | ||
vendor('meraki') | ||
product('switches') | ||
); | ||
}; | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netfw') | ||
sourcetype('meraki:switches') | ||
vendor('meraki') | ||
product('switches') | ||
); | ||
}; | ||
}; | ||
|
||
|
||
}; | ||
}; | ||
}; | ||
|
||
application app-netsource-cisco_meraki[sc4s-network-source] { | ||
filter { | ||
not filter(f_is_source_identified) | ||
and ( | ||
( | ||
match("cisco", value('.netsource.sc4s_vendor'), type(string)) | ||
and match("meraki", value('.netsource.sc4s_product'), type(string)) | ||
) | ||
or (tags("ns_vendor:cisco") and tags("ns_product:meraki")) | ||
or tags(".source.s_CISCO_MERAKI") | ||
or "${.netsource.sc4s_vendor_product}" eq "cisco_meraki" | ||
) | ||
; | ||
}; | ||
parser { app-netsource-cisco_meraki(); }; | ||
}; | ||
f_cisco_meraki(vendor('cisco') product('meraki')) | ||
or f_cisco_meraki(vendor('meraki') product('securityappliances')) | ||
or f_cisco_meraki(vendor('meraki') product('accesspoints')) | ||
or f_cisco_meraki(vendor('meraki') product('switches')) | ||
) | ||
}; | ||
parser { app-netsource-cisco_meraki(); }; | ||
}; |
45 changes: 0 additions & 45 deletions
45
package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,50 @@ | ||
#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf | ||
#File name provided is a suggestion it must be globally unique | ||
|
||
block parser app-vps-test-cisco_meraki() { | ||
channel { | ||
if { | ||
filter { host("^test-mx-") }; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('meraki') | ||
product('securityappliances') | ||
); | ||
}; | ||
} elif { | ||
filter { host("^test-mr-") }; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('meraki') | ||
product('accesspoints') | ||
); | ||
}; | ||
} elif { | ||
filter { host("^test-ms-") }; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('meraki') | ||
product('switches') | ||
); | ||
}; | ||
} else { | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('cisco') | ||
product('meraki') | ||
); | ||
}; | ||
}; | ||
}; | ||
}; | ||
|
||
|
||
application app-vps-test-cisco_meraki[sc4s-vps] { | ||
filter { | ||
host("^testcm-") | ||
}; | ||
parser { | ||
p_set_netsource_fields( | ||
vendor('cisco') | ||
product('meraki') | ||
); | ||
filter { | ||
host("^test-meraki-") | ||
or host("^test-mx-") | ||
or host("^test-mr-") | ||
or host("^test-ms-") | ||
}; | ||
parser { app-vps-test-cisco_meraki(); }; | ||
}; |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mstopa-splunk @rjha-splunk it's not Splunk supported add-on, not sure that we need to do it in general