From 2c34bf31f21d6f9d6806c5ab15707375c8972f3e Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Wed, 13 Mar 2024 14:32:28 +0000 Subject: [PATCH 1/9] WIP: fixing netsource-cisco_meraki --- app-vps-cisco_meraki.conf | 50 +++++++ docs/sources/vendor/Cisco/cisco_meraki.md | 136 ++++++++++++------ .../netsource/app-netsource-cisco_meraki.conf | 61 ++++---- 3 files changed, 183 insertions(+), 64 deletions(-) create mode 100644 app-vps-cisco_meraki.conf diff --git a/app-vps-cisco_meraki.conf b/app-vps-cisco_meraki.conf new file mode 100644 index 0000000000..a48db24aeb --- /dev/null +++ b/app-vps-cisco_meraki.conf @@ -0,0 +1,50 @@ +#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf +#File name provided is a suggestion it must be globally unique + +block parser app-vps-test-cisco_meraki() { + channel { + if { + filter { host("^test-mx-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('securityappliances') + ); + }; + } elif { + filter { host("^test-mr-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('accesspoints') + ); + }; + } elif { + filter { host("^test-ms-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('switches') + ); + }; + } else { + parser { + p_set_netsource_fields( + vendor('cisco') + product('meraki') + ); + }; + }; + }; +}; + + +application app-vps-test-cisco_meraki[sc4s-vps] { + filter { + host("^test") + or host("^test-mx-") + or host("^test-mr-") + or host("^test-ms-") + }; + parser { app-vps-test-cisco_meraki(); }; +}; diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md index f34f843461..a3ecc89253 100644 --- a/docs/sources/vendor/Cisco/cisco_meraki.md +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -1,65 +1,121 @@ ## Meraki (MR, MS, MX) ## Key facts -* In most cases, Cisco Meraki logs are general and require vendor product by source configuration. -* For distinctive log messages, filters are based on the appliance name and program value. +* Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message. +* Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices. +* Before reading this document see [Cisco Meraki syslog overview and configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration). -## Distinctive log messages -See samples in the [vendor documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples). +## Links +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | -The two conjuncted conditions are required: -1. Program: `(events|urls|firewall|cellular_firewall|vpn_firewall|ids-alerts|flows)` +### Sourcetypes +| Device Type | Sourcetype | Event Log | IDS Alerts | URLs | Flows | +|--------------------| --- | -----------|------------|------|-------| +| MX Security Appliance | meraki:securityappliances | Yes | Yes | Yes | Yes | +| MR Access Points | meraki:accesspoints | Yes | No | Yes | Yes | +| MS Switches | meraki:switches | Yes | No | No | No | +| All Cisco Meraki devices | meraki | Yes | Yes | Yes | Yes | -2. Appliance name: +* The following sourcetypes are supported by Splunk Cisco Meraki Add-on, but not by Cisco Meraki syslog client: `meraki:cameras`, `meraki:organizationsecurity`, `meraki:audit`, `meraki:airmarshal`. -| Sourcetype | Distinct element | -| --------- | -------------- | -| meraki:accesspoints | `host('MR' type(string) flags(ignore-case,prefix))` | -| meraki:securityappliances | `host('MX' type(string) flags(ignore-case,prefix))` | -| meraki:switches | `host('MS' type(string) flags(ignore-case,prefix))` | - +#### Event Log +| Event Log type | program | +|--------------------|-----------| +| | events | +| Security Events | security_event | +| Air Marshal Events| airmarshal_events | -## Links -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | +#### IDS Alerts +| Event Log type | program | +|--------------------|-----------| +| | ids_alerts, ids_alerted | -## Sourcetypes +#### URL +| Event Log type | program | +|--------------------|-----------| +| | urls | + + +#### Flows +| Event Log type | program | +|--------------------|-----------| +| | flows, firewall, vpn_firewall, cellular_firewall, bridge_anyconnect_client_vpn_firewall | -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| meraki:accesspoints | MR | -| meraki:securityappliances | MX | -| meraki:switches | MS | -| meraki | vendor product by source configuration | ## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| cisco_meraki_accesspoints | meraki:accesspoints | netfw | Filtered on the message format | -| cisco_meraki_securityappliances | meraki:securityappliances | netfw | Filtered on the message format | -| cisco_meraki_switches | meraki:switches | netfw | Filtered on the message format | -| cisco_meraki | meraki | netfw | Filtered on vendor product by source configuration | +| cisco_meraki_accesspoints | meraki:accesspoints | netfw | | +| cisco_meraki_securityappliances | meraki:securityappliances | netfw | | +| cisco_meraki_switches | meraki:switches | netfw | | +| cisco_meraki | meraki | netfw | | ## Parser Configuration - +1. Either by defining all Cisco Meraki hosts in SC4S ```c -#/opt/sc4s/local/config/app-parsers/app-vps-cisco_meraki.conf +#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf #File name provided is a suggestion it must be globally unique -application app-vps-test-cisco_meraki[sc4s-vps] { - filter { - host("^testcm-") +block parser app-vps-test-cisco_meraki() { + channel { + if { + filter { host("^test-mx-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('securityappliances') + ); + }; + } elif { + filter { host("^test-mr-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('accesspoints') + ); + }; + } elif { + filter { host("^test-ms-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('switches') + ); + }; + } else { + parser { + p_set_netsource_fields( + vendor('cisco') + product('meraki') + ); + }; + }; }; - parser { - p_set_netsource_fields( - vendor('cisco') - product('meraki') - ); - }; }; + + +application app-vps-test-cisco_meraki[sc4s-vps] { + filter { + host("^test-") + or host("^test-mx-") + or host("^test-mr-") + or host("^test-ms-") + }; + parser { app-vps-test-cisco_meraki(); }; +}; +``` + +2. Or by unique port ``` +# /opt/sc4s/env_file +SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004 +SC4S_LISTEN_CISCO_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005 +SC4S_LISTEN_CISCO_MERAKI_ACCESSPOINTS_UDP_PORT=5006 +SC4S_LISTEN_CISCO_MERAKI_SWITCHES_UDP_PORT=5007 +``` \ No newline at end of file diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf index 579cfc295d..c66d4326a2 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf @@ -1,31 +1,44 @@ -block parser app-netsource-cisco_meraki() { - channel { - rewrite { - r_set_splunk_dest_default( - index('netfw') - sourcetype('meraki') - vendor('cisco') - product('meraki') - ); +block filter f_cisco_meraki( + sc4s_vendor() sc4s_product() sc4s_vendor_product() ns_vendor() ns_product() source_tag() + ) { + ( + match(`sc4s_vendor`, value('.netsource.sc4s_vendor'), type(string)) + and match(`sc4s_product`, value('.netsource.sc4s_product'), type(string)) + ) + or (tags(`ns_vendor`) and tags(`ns_product`)) + or tags(`source_tag`) + or "${.netsource.sc4s_vendor_product}" eq `sc4s_vendor_product` +}; +block parser app-netsource-cisco_meraki() { + channel { + if { + filter { + f_cisco_meraki( + sc4s_vendor('cisco') + sc4s_product('meraki') + sc4s_vendor_product('cisco_meraki') + ns_vendor('ns_vendor:cisco') + ns_product('ns_product:meraki') + source_tag('cisco_meraki') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki') + vendor('cisco') + product('meraki') + ); + }; }; + } +}; - }; -}; application app-netsource-cisco_meraki[sc4s-network-source] { filter { not filter(f_is_source_identified) - and ( - ( - match("cisco", value('.netsource.sc4s_vendor'), type(string)) - and match("meraki", value('.netsource.sc4s_product'), type(string)) - ) - or (tags("ns_vendor:cisco") and tags("ns_product:meraki")) - or tags(".source.s_CISCO_MERAKI") - or "${.netsource.sc4s_vendor_product}" eq "cisco_meraki" - ) - ; - }; - parser { app-netsource-cisco_meraki(); }; -}; + }; + parser { app-netsource-cisco_meraki(); }; +}; \ No newline at end of file From b626297ed44caa7add19a912e00bdd56d71a4d46 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Wed, 13 Mar 2024 16:26:36 +0000 Subject: [PATCH 2/9] WIP: remove incorrect parsers, fix netsource parser --- app-vps-cisco_meraki.conf | 50 --------- .../app-almost-syslog-cisco_meraki.conf | 28 ----- .../netsource/app-netsource-cisco_meraki.conf | 70 +++++++++--- .../syslog/app-syslog-cisco_meraki.conf | 45 -------- .../app-vps-test-cisco_meraki.conf | 55 ++++++++-- .../cisco/app-almost-syslog-cisco_meraki.conf | 28 ----- .../cisco/app-netsource-cisco_meraki.conf | 101 +++++++++++++----- .../addons/cisco/app-syslog-cisco_meraki.conf | 45 -------- tests/test_cisco_meraki.py | 47 +++----- 9 files changed, 190 insertions(+), 279 deletions(-) delete mode 100644 app-vps-cisco_meraki.conf delete mode 100644 package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf delete mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf delete mode 100644 package/lite/etc/addons/cisco/app-almost-syslog-cisco_meraki.conf delete mode 100644 package/lite/etc/addons/cisco/app-syslog-cisco_meraki.conf diff --git a/app-vps-cisco_meraki.conf b/app-vps-cisco_meraki.conf deleted file mode 100644 index a48db24aeb..0000000000 --- a/app-vps-cisco_meraki.conf +++ /dev/null @@ -1,50 +0,0 @@ -#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf -#File name provided is a suggestion it must be globally unique - -block parser app-vps-test-cisco_meraki() { - channel { - if { - filter { host("^test-mx-") }; - parser { - p_set_netsource_fields( - vendor('meraki') - product('securityappliances') - ); - }; - } elif { - filter { host("^test-mr-") }; - parser { - p_set_netsource_fields( - vendor('meraki') - product('accesspoints') - ); - }; - } elif { - filter { host("^test-ms-") }; - parser { - p_set_netsource_fields( - vendor('meraki') - product('switches') - ); - }; - } else { - parser { - p_set_netsource_fields( - vendor('cisco') - product('meraki') - ); - }; - }; - }; -}; - - -application app-vps-test-cisco_meraki[sc4s-vps] { - filter { - host("^test") - or host("^test-mx-") - or host("^test-mr-") - or host("^test-ms-") - }; - parser { app-vps-test-cisco_meraki(); }; -}; diff --git a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf deleted file mode 100644 index 69ee78f9e8..0000000000 --- a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf +++ /dev/null @@ -1,28 +0,0 @@ -rewrite set_rfc3164_cisco_meraki{ - set-tag("wireformat:rfc3164_cisco_meraki"); -}; - -block parser app-almost-syslog-cisco_meraki() { - channel { - parser { - regexp-parser( - prefix(".tmp.") - patterns('^(?\<\d+\>) ?(?[A-Z][a-z]{2} *\d{1,2} \d\d:\d\d:\d\d) (?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?\d) (?\d{10}\.\d{9}) (?.*)') - ); - date-parser( - format('%s.%f', '%s') - template("${.tmp.ts2}") - ); - syslog-parser( - flags(assume-utf8, guess-timezone) - template("${.tmp.pri} $S_ISODATE ${.tmp.message}") - ); - }; - rewrite(set_rfc); - rewrite(set_rfc3164); - rewrite(set_rfc3164_cisco_meraki); - }; -}; -application app-almost-syslog-cisco_meraki[sc4s-almost-syslog] { - parser { app-almost-syslog-cisco_meraki(); }; -}; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf index c66d4326a2..31aed4f1fb 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf @@ -1,13 +1,11 @@ -block filter f_cisco_meraki( - sc4s_vendor() sc4s_product() sc4s_vendor_product() ns_vendor() ns_product() source_tag() - ) { +block filter f_cisco_meraki(vendor() product()) { ( - match(`sc4s_vendor`, value('.netsource.sc4s_vendor'), type(string)) - and match(`sc4s_product`, value('.netsource.sc4s_product'), type(string)) + match(`vendor`, value('.netsource.sc4s_vendor'), type(string)) + and match(`product`, value('.netsource.sc4s_product'), type(string)) ) - or (tags(`ns_vendor`) and tags(`ns_product`)) - or tags(`source_tag`) - or "${.netsource.sc4s_vendor_product}" eq `sc4s_vendor_product` + or (tags('ns_vendor:`vendor`') and tags('ns_product:`product`')) + or tags('`vendor`_`product`') + or "${.netsource.sc4s_vendor_product}" eq '`vendor`_`product`' }; block parser app-netsource-cisco_meraki() { @@ -15,12 +13,8 @@ block parser app-netsource-cisco_meraki() { if { filter { f_cisco_meraki( - sc4s_vendor('cisco') - sc4s_product('meraki') - sc4s_vendor_product('cisco_meraki') - ns_vendor('ns_vendor:cisco') - ns_product('ns_product:meraki') - source_tag('cisco_meraki') + vendor('cisco') + product('meraki') ); }; rewrite { @@ -31,11 +25,55 @@ block parser app-netsource-cisco_meraki() { product('meraki') ); }; + } elif { + filter { + f_cisco_meraki( + vendor('meraki') + product('securityappliances') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki:securityappliances') + vendor('meraki') + product('securityappliances') + ); + }; + } elif { + filter { + f_cisco_meraki( + vendor('meraki') + product('accesspoints') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki:accesspoints') + vendor('meraki') + product('accesspoints') + ); + }; + } elif { + filter { + f_cisco_meraki( + vendor('meraki') + product('switches') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki:switches') + vendor('meraki') + product('switches') + ); + }; }; - } + }; }; - application app-netsource-cisco_meraki[sc4s-network-source] { filter { not filter(f_is_source_identified) diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf deleted file mode 100644 index 73e1d7dff6..0000000000 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf +++ /dev/null @@ -1,45 +0,0 @@ -block parser app-syslog-cisco_meraki() { - channel { - - rewrite { - set("securityappliances", value(".tmp.device") condition( host('MX' type(string) flags(ignore-case,prefix)))); - set("switches", value(".tmp.device") condition( host('MS' type(string) flags(ignore-case,prefix)))); - set("accesspoints", value(".tmp.device") condition( host('MR' type(string) flags(ignore-case,prefix)))); - }; - - rewrite { - r_set_splunk_dest_default( - index('netfw') - source('cisco:meraki:${.tmp.device}') - sourcetype('meraki:${.tmp.device}') - vendor("cisco") - product("meraki") - class("${.tmp.device}") - ); - }; - }; -}; - -application app-syslog-cisco_meraki[sc4s-syslog] { - filter { - ( - ( - host('MX' type(string) flags(ignore-case,prefix)) - or host('MS' type(string) flags(ignore-case,prefix)) - or host('MR' type(string) flags(ignore-case,prefix)) - ) - ) - and ( - ( - program('events' type(string)) - or program('urls' type(string)) - or program('firewall' type(string)) - or program('cellular_firewall' type(string)) - or program('vpn_firewall' type(string)) - or program('ids-alerts' type(string)) - or program('flows' type(string)) - ) - ) - }; - parser { app-syslog-cisco_meraki() }; -}; \ No newline at end of file diff --git a/package/etc/test_parsers/app-vps-test-cisco_meraki.conf b/package/etc/test_parsers/app-vps-test-cisco_meraki.conf index a9c69083c1..a48db24aeb 100644 --- a/package/etc/test_parsers/app-vps-test-cisco_meraki.conf +++ b/package/etc/test_parsers/app-vps-test-cisco_meraki.conf @@ -1,11 +1,50 @@ +#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf +#File name provided is a suggestion it must be globally unique + +block parser app-vps-test-cisco_meraki() { + channel { + if { + filter { host("^test-mx-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('securityappliances') + ); + }; + } elif { + filter { host("^test-mr-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('accesspoints') + ); + }; + } elif { + filter { host("^test-ms-") }; + parser { + p_set_netsource_fields( + vendor('meraki') + product('switches') + ); + }; + } else { + parser { + p_set_netsource_fields( + vendor('cisco') + product('meraki') + ); + }; + }; + }; +}; + + application app-vps-test-cisco_meraki[sc4s-vps] { - filter { - host("^testcm-") - }; - parser { - p_set_netsource_fields( - vendor('cisco') - product('meraki') - ); + filter { + host("^test") + or host("^test-mx-") + or host("^test-mr-") + or host("^test-ms-") }; + parser { app-vps-test-cisco_meraki(); }; }; diff --git a/package/lite/etc/addons/cisco/app-almost-syslog-cisco_meraki.conf b/package/lite/etc/addons/cisco/app-almost-syslog-cisco_meraki.conf deleted file mode 100644 index 69ee78f9e8..0000000000 --- a/package/lite/etc/addons/cisco/app-almost-syslog-cisco_meraki.conf +++ /dev/null @@ -1,28 +0,0 @@ -rewrite set_rfc3164_cisco_meraki{ - set-tag("wireformat:rfc3164_cisco_meraki"); -}; - -block parser app-almost-syslog-cisco_meraki() { - channel { - parser { - regexp-parser( - prefix(".tmp.") - patterns('^(?\<\d+\>) ?(?[A-Z][a-z]{2} *\d{1,2} \d\d:\d\d:\d\d) (?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?\d) (?\d{10}\.\d{9}) (?.*)') - ); - date-parser( - format('%s.%f', '%s') - template("${.tmp.ts2}") - ); - syslog-parser( - flags(assume-utf8, guess-timezone) - template("${.tmp.pri} $S_ISODATE ${.tmp.message}") - ); - }; - rewrite(set_rfc); - rewrite(set_rfc3164); - rewrite(set_rfc3164_cisco_meraki); - }; -}; -application app-almost-syslog-cisco_meraki[sc4s-almost-syslog] { - parser { app-almost-syslog-cisco_meraki(); }; -}; diff --git a/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf b/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf index 579cfc295d..31aed4f1fb 100644 --- a/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf +++ b/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf @@ -1,31 +1,82 @@ -block parser app-netsource-cisco_meraki() { - channel { - rewrite { - r_set_splunk_dest_default( - index('netfw') - sourcetype('meraki') - vendor('cisco') - product('meraki') - ); +block filter f_cisco_meraki(vendor() product()) { + ( + match(`vendor`, value('.netsource.sc4s_vendor'), type(string)) + and match(`product`, value('.netsource.sc4s_product'), type(string)) + ) + or (tags('ns_vendor:`vendor`') and tags('ns_product:`product`')) + or tags('`vendor`_`product`') + or "${.netsource.sc4s_vendor_product}" eq '`vendor`_`product`' +}; +block parser app-netsource-cisco_meraki() { + channel { + if { + filter { + f_cisco_meraki( + vendor('cisco') + product('meraki') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki') + vendor('cisco') + product('meraki') + ); + }; + } elif { + filter { + f_cisco_meraki( + vendor('meraki') + product('securityappliances') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki:securityappliances') + vendor('meraki') + product('securityappliances') + ); + }; + } elif { + filter { + f_cisco_meraki( + vendor('meraki') + product('accesspoints') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki:accesspoints') + vendor('meraki') + product('accesspoints') + ); + }; + } elif { + filter { + f_cisco_meraki( + vendor('meraki') + product('switches') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netfw') + sourcetype('meraki:switches') + vendor('meraki') + product('switches') + ); + }; }; - - - }; + }; }; + application app-netsource-cisco_meraki[sc4s-network-source] { filter { not filter(f_is_source_identified) - and ( - ( - match("cisco", value('.netsource.sc4s_vendor'), type(string)) - and match("meraki", value('.netsource.sc4s_product'), type(string)) - ) - or (tags("ns_vendor:cisco") and tags("ns_product:meraki")) - or tags(".source.s_CISCO_MERAKI") - or "${.netsource.sc4s_vendor_product}" eq "cisco_meraki" - ) - ; - }; - parser { app-netsource-cisco_meraki(); }; -}; + }; + parser { app-netsource-cisco_meraki(); }; +}; \ No newline at end of file diff --git a/package/lite/etc/addons/cisco/app-syslog-cisco_meraki.conf b/package/lite/etc/addons/cisco/app-syslog-cisco_meraki.conf deleted file mode 100644 index 73e1d7dff6..0000000000 --- a/package/lite/etc/addons/cisco/app-syslog-cisco_meraki.conf +++ /dev/null @@ -1,45 +0,0 @@ -block parser app-syslog-cisco_meraki() { - channel { - - rewrite { - set("securityappliances", value(".tmp.device") condition( host('MX' type(string) flags(ignore-case,prefix)))); - set("switches", value(".tmp.device") condition( host('MS' type(string) flags(ignore-case,prefix)))); - set("accesspoints", value(".tmp.device") condition( host('MR' type(string) flags(ignore-case,prefix)))); - }; - - rewrite { - r_set_splunk_dest_default( - index('netfw') - source('cisco:meraki:${.tmp.device}') - sourcetype('meraki:${.tmp.device}') - vendor("cisco") - product("meraki") - class("${.tmp.device}") - ); - }; - }; -}; - -application app-syslog-cisco_meraki[sc4s-syslog] { - filter { - ( - ( - host('MX' type(string) flags(ignore-case,prefix)) - or host('MS' type(string) flags(ignore-case,prefix)) - or host('MR' type(string) flags(ignore-case,prefix)) - ) - ) - and ( - ( - program('events' type(string)) - or program('urls' type(string)) - or program('firewall' type(string)) - or program('cellular_firewall' type(string)) - or program('vpn_firewall' type(string)) - or program('ids-alerts' type(string)) - or program('flows' type(string)) - ) - ) - }; - parser { app-syslog-cisco_meraki() }; -}; \ No newline at end of file diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py index 02863236c4..eb6446c362 100644 --- a/tests/test_cisco_meraki.py +++ b/tests/test_cisco_meraki.py @@ -22,31 +22,31 @@ # MX events: vpn connectivity change { "template": "{{ mark }} {{ epoch }} {{ host }} events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='1.1.1.1:51856' peer_ident='XXXXX' connectivity='false'", - "host_prefix": "MX", + "host_prefix": "test-mx-", "sourcetype": "meraki:securityappliances" }, # urls: HTTP GET requests { "template": "{{ mark }} {{ epoch }} {{ host }} urls src=1.1.1.1:63735 dst=1.1.1.1:80 mac=XX:XX:XX:XX:XX:XX request: GET https://...", - "host_prefix": "MX", + "host_prefix": "test-mx-", "sourcetype": "meraki:securityappliances" }, # MX flows { "template": "{{ mark }} {{ epoch }} {{ host }} flows src=1.1.1.186 dst=8.8.8.8 mac=XX:XX:XX:XX:XX:XX protocol=udp sport=55719 dport=53 pattern: allow all", - "host_prefix": "MX", + "host_prefix": "test-mx-", "sourcetype": "meraki:securityappliances" }, # MX firewall { "template": "{{ mark }} {{ epoch }} {{ host }} firewall src=1.1.1.186 dst=8.8.8.8 mac=XX:XX:XX:XX:XX:XX protocol=udp sport=55719 dport=53 pattern: allow all", - "host_prefix": "MX", + "host_prefix": "test-mx-", "sourcetype": "meraki:securityappliances" }, # MX ids-alerts: ids signature matched { "template": "{{ mark }} {{ epoch }} {{ host }} ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=1.1.1.1:80", - "host_prefix": "MX", + "host_prefix": "test-mx-", "sourcetype": "meraki:securityappliances" } ] @@ -55,13 +55,13 @@ # MS events: port status change { "template": "{{ mark }} {{ epoch }} {{ host }} events port 3 status changed from 100fdx to down", - "host_prefix": "MS", + "host_prefix": "test-ms-", "sourcetype": "meraki:switches" }, # MS events: blocked DHCP server response { "template": "{{ mark }} {{ epoch }} {{ host }} events Blocked DHCP server response from XX:XX:XX:XX:XX:XX on VLAN 100", - "host_prefix": "MS", + "host_prefix": "test-ms-", "sourcetype": "meraki:switches" } ] @@ -70,51 +70,30 @@ # MR events: 802.11 association { "template": "{{ mark }} {{ epoch }} {{ host }} events type=association radio='0' vap='1' channel='6' rssi='23' aid='XXXXXX'", - "host_prefix": "MR", + "host_prefix": "test-mr-", "sourcetype": "meraki:accesspoints" }, # MR events: WPA authentication { "template": "{{ mark }} {{ epoch }} {{ host }} events type=wpa_auth radio='0' vap='1' aid='XXXXXXX'", - "host_prefix": "MR", + "host_prefix": "test-mr-", "sourcetype": "meraki:accesspoints" }, # MR events: splash authentication { "template": "{{ mark }} {{ epoch }} {{ host }} events type=splash_auth ip='1.1.1.1 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'", - "host_prefix": "MR", + "host_prefix": "test-mr-", "sourcetype": "meraki:accesspoints" }, # MR flows: flow denied by Layer 3 firewall { "template": "{{ mark }} {{ epoch }} {{ host }} flows deny src=1.1.1.1 dst=1.1.1.1 mac=XX:XX:XX:XX:XX:XX protocol=tcp sport=52421 dport=80", - "host_prefix": "MR", + "host_prefix": "test-mr-", "sourcetype": "meraki:accesspoints" } ] -mx_almost_syslog_test_data = [ - # MX events: uplink connectivity change - { - "template": "{{ mark }} Dec 6 08:46:12 1.1.1.1 1 {{ epoch }} {{ host }} events Cellular connection down", - "host_prefix": "MX", - "sourcetype": "meraki:securityappliances" - }, - # MX events: dhcp no offers - { - "template": "{{ mark }} Sep 11 16:12:41 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp no offers for mac XX:XX:XX:XX:XX:XX host = 1.1.1.1", - "host_prefix": "MX", - "sourcetype": "meraki:securityappliances" - }, - # MX events: dhcp lease - { - "template": "{{ mark }} Sep 11 16:05:15 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp lease of ip 1.1.1.1 from server mac XX:XX:XX:XX:XX:XX for client mac XX:XX:XX:XX:XX:XX from router 1.1.1.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", - "host_prefix": "MX", - "sourcetype": "meraki:securityappliances" - } -] - -test_data = mx_test_data + ms_test_data + mr_test_data + mx_almost_syslog_test_data +test_data = mx_test_data + ms_test_data + mr_test_data @pytest.mark.parametrize("test_case", test_data) @@ -156,7 +135,7 @@ def test_cisco_meraki_syslog_app( def test_cisco_meraki_vps_app( record_property, setup_splunk, setup_sc4s ): - host = f"testcm-host-{shortuuid.ShortUUID().random(length=5).lower()}" + host = f"test-host-{shortuuid.ShortUUID().random(length=5).lower()}" dt = datetime.datetime.now() _, _, _, _, _, _, epoch = time_operations(dt) From 41ce572a38763d2e1a02dff173c1f53290730ca8 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 14 Mar 2024 08:53:16 +0000 Subject: [PATCH 3/9] Update vps filter example --- package/etc/test_parsers/app-vps-test-cisco_meraki.conf | 2 +- tests/test_cisco_meraki.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/etc/test_parsers/app-vps-test-cisco_meraki.conf b/package/etc/test_parsers/app-vps-test-cisco_meraki.conf index a48db24aeb..60203460f0 100644 --- a/package/etc/test_parsers/app-vps-test-cisco_meraki.conf +++ b/package/etc/test_parsers/app-vps-test-cisco_meraki.conf @@ -41,7 +41,7 @@ block parser app-vps-test-cisco_meraki() { application app-vps-test-cisco_meraki[sc4s-vps] { filter { - host("^test") + host("^test-meraki-") or host("^test-mx-") or host("^test-mr-") or host("^test-ms-") diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py index eb6446c362..afa6d406f4 100644 --- a/tests/test_cisco_meraki.py +++ b/tests/test_cisco_meraki.py @@ -135,7 +135,7 @@ def test_cisco_meraki_syslog_app( def test_cisco_meraki_vps_app( record_property, setup_splunk, setup_sc4s ): - host = f"test-host-{shortuuid.ShortUUID().random(length=5).lower()}" + host = f"test-meraki-{shortuuid.ShortUUID().random(length=5).lower()}" dt = datetime.datetime.now() _, _, _, _, _, _, epoch = time_operations(dt) From 234873e6d059a0c00cc7c6ecb1a872e0b1e48c73 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 14 Mar 2024 09:56:21 +0000 Subject: [PATCH 4/9] Fix app-netsource-cisco_meraki --- .../conflib/netsource/app-netsource-cisco_meraki.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf index 31aed4f1fb..6d54b000d5 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf @@ -77,6 +77,12 @@ block parser app-netsource-cisco_meraki() { application app-netsource-cisco_meraki[sc4s-network-source] { filter { not filter(f_is_source_identified) + and ( + f_cisco_meraki(vendor('cisco') product('meraki')) + or f_cisco_meraki(vendor('meraki') product('securityappliances')) + or f_cisco_meraki(vendor('meraki') product('accesspoints')) + or f_cisco_meraki(vendor('meraki') product('switches')) + ) }; parser { app-netsource-cisco_meraki(); }; }; \ No newline at end of file From 1996cb0e7b241530577e04c276f53ffe66fb192b Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 14 Mar 2024 10:23:13 +0000 Subject: [PATCH 5/9] Update vps filter example in SC4S lite --- .../lite/etc/addons/cisco/app-netsource-cisco_meraki.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf b/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf index 31aed4f1fb..6d54b000d5 100644 --- a/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf +++ b/package/lite/etc/addons/cisco/app-netsource-cisco_meraki.conf @@ -77,6 +77,12 @@ block parser app-netsource-cisco_meraki() { application app-netsource-cisco_meraki[sc4s-network-source] { filter { not filter(f_is_source_identified) + and ( + f_cisco_meraki(vendor('cisco') product('meraki')) + or f_cisco_meraki(vendor('meraki') product('securityappliances')) + or f_cisco_meraki(vendor('meraki') product('accesspoints')) + or f_cisco_meraki(vendor('meraki') product('switches')) + ) }; parser { app-netsource-cisco_meraki(); }; }; \ No newline at end of file From 9d92975e41b27366590a6de9b294e43708747630 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Mon, 18 Mar 2024 16:37:06 +0000 Subject: [PATCH 6/9] Add app-netsource-cisco_meraki-splunk_hec --- docs/sources/vendor/Cisco/cisco_meraki.md | 60 +++++++------------ .../netsource/app-netsource-cisco_meraki.conf | 51 ++++++++++++++++ 2 files changed, 72 insertions(+), 39 deletions(-) diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md index a3ecc89253..7345eb31d0 100644 --- a/docs/sources/vendor/Cisco/cisco_meraki.md +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -11,43 +11,16 @@ | Splunk Add-on | | | Product Manual | | +## Sourcetypes -### Sourcetypes -| Device Type | Sourcetype | Event Log | IDS Alerts | URLs | Flows | -|--------------------| --- | -----------|------------|------|-------| -| MX Security Appliance | meraki:securityappliances | Yes | Yes | Yes | Yes | -| MR Access Points | meraki:accesspoints | Yes | No | Yes | Yes | -| MS Switches | meraki:switches | Yes | No | No | No | -| All Cisco Meraki devices | meraki | Yes | Yes | Yes | Yes | - -* The following sourcetypes are supported by Splunk Cisco Meraki Add-on, but not by Cisco Meraki syslog client: `meraki:cameras`, `meraki:organizationsecurity`, `meraki:audit`, `meraki:airmarshal`. - -#### Event Log -| Event Log type | program | -|--------------------|-----------| -| | events | -| Security Events | security_event | -| Air Marshal Events| airmarshal_events | - - -#### IDS Alerts -| Event Log type | program | -|--------------------|-----------| -| | ids_alerts, ids_alerted | - -#### URL -| Event Log type | program | -|--------------------|-----------| -| | urls | - - -#### Flows -| Event Log type | program | -|--------------------|-----------| -| | flows, firewall, vpn_firewall, cellular_firewall, bridge_anyconnect_client_vpn_firewall | - +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| meraki:accesspoints | None | +| meraki:securityappliances | None | +| meraki:switches | None | +| meraki | None | -## Sourcetype and Index Configuration +## Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| @@ -56,6 +29,7 @@ | cisco_meraki_switches | meraki:switches | netfw | | | cisco_meraki | meraki | netfw | | + ## Parser Configuration 1. Either by defining all Cisco Meraki hosts in SC4S ```c @@ -115,7 +89,15 @@ application app-vps-test-cisco_meraki[sc4s-vps] { ``` # /opt/sc4s/env_file SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004 -SC4S_LISTEN_CISCO_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005 -SC4S_LISTEN_CISCO_MERAKI_ACCESSPOINTS_UDP_PORT=5006 -SC4S_LISTEN_CISCO_MERAKI_SWITCHES_UDP_PORT=5007 -``` \ No newline at end of file +SC4S_LISTEN_CISCO_MERAKI-SECURITYAPPLIANCES_UDP_PORT=5005 +SC4S_LISTEN_CISCO_MERAKI-ACCESSPOINTS_UDP_PORT=5006 +SC4S_LISTEN_CISCO_MERAKI-SWITCHES_UDP_PORT=5007 +``` + +## Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_DEST_CISCO_MERAKI-SECURITYAPPLIANCES_SPLUNK_HEC_FMT | JSON | Restructure data from vendor format to json for splunk destinations set to "NONE" for native format | +| SC4S_DEST_CISCO_MERAKI-ACCESSPOINTS_SPLUNK_HEC_FMT | JSON | Restructure data from vendor format to json for splunk destinations set to "NONE" for native format | +| SC4S_DEST_CISCO_MERAKI-SWITCHES_SPLUNK_HEC_FMT | JSON | Restructure data from vendor format to json for splunk destinations set to "NONE" for native format | \ No newline at end of file diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf index 6d54b000d5..15194650ea 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf @@ -85,4 +85,55 @@ application app-netsource-cisco_meraki[sc4s-network-source] { ) }; parser { app-netsource-cisco_meraki(); }; +}; + +#Destination type formatters +block parser app-netsource-cisco_meraki-splunk_hec() { + channel { + if { + parser { + kv-parser( + prefix(".values.") + pair-separator(" ") + template("t_msg_trim") + ); + }; + + filter { "${.values.type}" ne ""; }; + + rewrite{ + set("t_json_values", value(".splunk.sc4s_template")); + }; + }; + }; +}; + +application app-netsource-cisco_meraki-splunk_hec[sc4s-lp-dest-format-hec_fmt] { + filter { + match('meraki', value('fields.sc4s_vendor') type(string)) + and ( + ( + match('securityappliances', value('fields.sc4s_product') type(string)) + and ( + "`SC4S_DEST_CISCO_MERAKI-SECURITYAPPLIANCES_SPLUNK_HEC_FMT`" eq "" + or "`SC4S_DEST_CISCO_MERAKI-SECURITYAPPLIANCES_SPLUNK_HEC_FMT`" eq "JSON" + ) + ) + or ( + match('accesspoints', value('fields.sc4s_product') type(string)) + and ( + "`SC4S_DEST_CISCO_MERAKI-ACCESSPOINTS_SPLUNK_HEC_FMT`" eq "" + or "`SC4S_DEST_CISCO_MERAKI-ACCESSPOINTS_SPLUNK_HEC_FMT`" eq "JSON" + ) + ) + or ( + match('switches', value('fields.sc4s_product') type(string)) + and ( + "`SC4S_DEST_CISCO_MERAKI-SWITCHES_SPLUNK_HEC_FMT`" eq "" + or "`SC4S_DEST_CISCO_MERAKI-SWITCHES_SPLUNK_HEC_FMT`" eq "JSON" + ) + ) + ) + }; + parser { app-netsource-cisco_meraki-splunk_hec(); }; }; \ No newline at end of file From d1ed6aa3266cd5ef027a3b34219b805133ef2973 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 28 Mar 2024 12:25:48 +0000 Subject: [PATCH 7/9] Remove Meraki json parser --- docs/sources/vendor/Cisco/cisco_meraki.md | 22 +++----- .../netsource/app-netsource-cisco_meraki.conf | 51 ------------------- 2 files changed, 8 insertions(+), 65 deletions(-) diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md index 7345eb31d0..791474bd91 100644 --- a/docs/sources/vendor/Cisco/cisco_meraki.md +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -4,21 +4,23 @@ * Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message. * Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices. * Before reading this document see [Cisco Meraki syslog overview and configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration). +* [Splunk Add-on for Cisco Meraki 2.1.0](https://splunkbase.splunk.com/app/5580) doesn't support syslog. Use [TA-meraki](https://splunkbase.splunk.com/app/3018) instead. `TA-meraki 1.1.5` requires sourcetype `meraki`. + ## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | +| Splunk Add-on | | | Product Manual | | ## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| meraki:accesspoints | None | -| meraki:securityappliances | None | -| meraki:switches | None | -| meraki | None | +| meraki:accesspoints | Not compliant with Splunk Add-on | +| meraki:securityappliances | Not compliant with Splunk Add-on | +| meraki:switches | Not compliant with Splunk Add-on | +| meraki | Compliant with Splunk Add-on | ## Index Configuration @@ -92,12 +94,4 @@ SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004 SC4S_LISTEN_CISCO_MERAKI-SECURITYAPPLIANCES_UDP_PORT=5005 SC4S_LISTEN_CISCO_MERAKI-ACCESSPOINTS_UDP_PORT=5006 SC4S_LISTEN_CISCO_MERAKI-SWITCHES_UDP_PORT=5007 -``` - -## Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_DEST_CISCO_MERAKI-SECURITYAPPLIANCES_SPLUNK_HEC_FMT | JSON | Restructure data from vendor format to json for splunk destinations set to "NONE" for native format | -| SC4S_DEST_CISCO_MERAKI-ACCESSPOINTS_SPLUNK_HEC_FMT | JSON | Restructure data from vendor format to json for splunk destinations set to "NONE" for native format | -| SC4S_DEST_CISCO_MERAKI-SWITCHES_SPLUNK_HEC_FMT | JSON | Restructure data from vendor format to json for splunk destinations set to "NONE" for native format | \ No newline at end of file +``` \ No newline at end of file diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf index 15194650ea..6d54b000d5 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf @@ -85,55 +85,4 @@ application app-netsource-cisco_meraki[sc4s-network-source] { ) }; parser { app-netsource-cisco_meraki(); }; -}; - -#Destination type formatters -block parser app-netsource-cisco_meraki-splunk_hec() { - channel { - if { - parser { - kv-parser( - prefix(".values.") - pair-separator(" ") - template("t_msg_trim") - ); - }; - - filter { "${.values.type}" ne ""; }; - - rewrite{ - set("t_json_values", value(".splunk.sc4s_template")); - }; - }; - }; -}; - -application app-netsource-cisco_meraki-splunk_hec[sc4s-lp-dest-format-hec_fmt] { - filter { - match('meraki', value('fields.sc4s_vendor') type(string)) - and ( - ( - match('securityappliances', value('fields.sc4s_product') type(string)) - and ( - "`SC4S_DEST_CISCO_MERAKI-SECURITYAPPLIANCES_SPLUNK_HEC_FMT`" eq "" - or "`SC4S_DEST_CISCO_MERAKI-SECURITYAPPLIANCES_SPLUNK_HEC_FMT`" eq "JSON" - ) - ) - or ( - match('accesspoints', value('fields.sc4s_product') type(string)) - and ( - "`SC4S_DEST_CISCO_MERAKI-ACCESSPOINTS_SPLUNK_HEC_FMT`" eq "" - or "`SC4S_DEST_CISCO_MERAKI-ACCESSPOINTS_SPLUNK_HEC_FMT`" eq "JSON" - ) - ) - or ( - match('switches', value('fields.sc4s_product') type(string)) - and ( - "`SC4S_DEST_CISCO_MERAKI-SWITCHES_SPLUNK_HEC_FMT`" eq "" - or "`SC4S_DEST_CISCO_MERAKI-SWITCHES_SPLUNK_HEC_FMT`" eq "JSON" - ) - ) - ) - }; - parser { app-netsource-cisco_meraki-splunk_hec(); }; }; \ No newline at end of file From 74f3d3e85e475a1493e1a679395d9effb394212a Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 28 Mar 2024 12:41:18 +0000 Subject: [PATCH 8/9] Update Meraki docs --- docs/sources/vendor/Cisco/cisco_meraki.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md index 791474bd91..a8c2287b9e 100644 --- a/docs/sources/vendor/Cisco/cisco_meraki.md +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -3,7 +3,6 @@ ## Key facts * Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message. * Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices. -* Before reading this document see [Cisco Meraki syslog overview and configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration). * [Splunk Add-on for Cisco Meraki 2.1.0](https://splunkbase.splunk.com/app/5580) doesn't support syslog. Use [TA-meraki](https://splunkbase.splunk.com/app/3018) instead. `TA-meraki 1.1.5` requires sourcetype `meraki`. @@ -17,10 +16,10 @@ | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| meraki:accesspoints | Not compliant with Splunk Add-on | -| meraki:securityappliances | Not compliant with Splunk Add-on | -| meraki:switches | Not compliant with Splunk Add-on | -| meraki | Compliant with Splunk Add-on | +| meraki:accesspoints | Not compliant with the Splunk Add-on | +| meraki:securityappliances | Not compliant with the Splunk Add-on | +| meraki:switches | Not compliant with the Splunk Add-on | +| meraki | For all Meraki devices. Compliant with the Splunk Add-on | ## Index Configuration @@ -33,7 +32,7 @@ ## Parser Configuration -1. Either by defining all Cisco Meraki hosts in SC4S +1. Either by defining Cisco Meraki hosts: ```c #/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf #File name provided is a suggestion it must be globally unique @@ -78,7 +77,7 @@ block parser app-vps-test-cisco_meraki() { application app-vps-test-cisco_meraki[sc4s-vps] { filter { - host("^test-") + host("^test-meraki-") or host("^test-mx-") or host("^test-mr-") or host("^test-ms-") @@ -87,7 +86,7 @@ application app-vps-test-cisco_meraki[sc4s-vps] { }; ``` -2. Or by unique port +2. Or by a unique port: ``` # /opt/sc4s/env_file SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004 From b8d9b889b286bfcc8d2dbc2d0a59029b14ec0996 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 28 Mar 2024 13:54:19 +0000 Subject: [PATCH 9/9] Update Meraki docs --- docs/sources/vendor/Cisco/cisco_meraki.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md index a8c2287b9e..5968fb1924 100644 --- a/docs/sources/vendor/Cisco/cisco_meraki.md +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -25,9 +25,9 @@ | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| cisco_meraki_accesspoints | meraki:accesspoints | netfw | | -| cisco_meraki_securityappliances | meraki:securityappliances | netfw | | -| cisco_meraki_switches | meraki:switches | netfw | | +| meraki_accesspoints | meraki:accesspoints | netfw | | +| meraki_securityappliances | meraki:securityappliances | netfw | | +| meraki_switches | meraki:switches | netfw | | | cisco_meraki | meraki | netfw | | @@ -90,7 +90,7 @@ application app-vps-test-cisco_meraki[sc4s-vps] { ``` # /opt/sc4s/env_file SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004 -SC4S_LISTEN_CISCO_MERAKI-SECURITYAPPLIANCES_UDP_PORT=5005 -SC4S_LISTEN_CISCO_MERAKI-ACCESSPOINTS_UDP_PORT=5006 -SC4S_LISTEN_CISCO_MERAKI-SWITCHES_UDP_PORT=5007 +SC4S_LISTEN_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005 +SC4S_LISTEN_MERAKI_ACCESSPOINTS_UDP_PORT=5006 +SC4S_LISTEN_MERAKI_SWITCHES_UDP_PORT=5007 ``` \ No newline at end of file