Connect Cisco MX100 Syslogs to Azure Sentinel

SOLVED
Greg2
Here to help

Connect Cisco MX100 Syslogs to Azure Sentinel

I'm not able to get Syslogs from my Meraki MX100 into Azure Sentinel

 

I've setup a VM on my LAN and installed the Azure agent. I can see hearbeat messages from the agent into Azure. 

 

I've configured the Meraki to send all available syslog messages to the VM but I can't see those messages in Azure. 

 

Does anyone have any experience in getting syslogs into Azure Sentinel?

 

 

1 ACCEPTED SOLUTION

I've managed to get this working 

 

I followed your suggestion of replacing rsyslog with syslog-ng. I'm not conviced this was required but hey..

 

It seems I was sending the syslog data to a log file when I needed to send it to the Azure agent listening on port 25224 on the local machine

 

As well as adding the details listed under Option 1 in the syslog-ng article you linked to, I also changed the line 

 

destination df_meraki { file("/var/log/meraki.log"); };

 

to

 

destination df_meraki { udp("127.0.0.1" port(25224)); };

 

I found an MS article detailing how to configure syslogs for Azure monitor which pointed me to this line change

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

View solution in original post

13 REPLIES 13
CptnCrnch
Kind of a big deal

First and foremost: are messages received on the agent?

Thanks for replying

 

I don't know how to tell. I've installed the agent on Ubunutu 

ok - this is a snippet from /var/logs/syslog

 

Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.7976] dhcp4 (ens160): option dhcp_lease_time => '86400'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option domain_name_servers => '<IP_redacted>'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option expiry => '1599089654'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option ip_address => '<IP_redacted>'

 

Does this mean that meraki messages are reaching the agent?

 

SoCalRacer
Kind of a big deal

It would be really nice to have some official Meraki documentation on this and other cloud options for syslog storage.

 

From my understanding you may need to allow port 514 on the NSG on the VM in Azure.

I'm using an on-prem VM

SoCalRacer
Kind of a big deal

I thought the intent from MS was that the VM was supposed to be in Azure and that handled the queue of events and then pushed them to Sentinel

 

https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-the-connectors-grand-cef-syslog...

 

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

URL
Any HTTP GET requests will generate a syslog entry.

 

Example:

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

 

When configuring a SYSLOG data source in Azure you get the option to install on a non Azure machine

 

Greg2_0-1599061391654.png

 

I' ve discovered I'm using rsyslogd but having issues configuring the service to accept messages from the Meraki

 

Does anyone know how to do this?

SoCalRacer
Kind of a big deal

I've managed to get this working 

 

I followed your suggestion of replacing rsyslog with syslog-ng. I'm not conviced this was required but hey..

 

It seems I was sending the syslog data to a log file when I needed to send it to the Azure agent listening on port 25224 on the local machine

 

As well as adding the details listed under Option 1 in the syslog-ng article you linked to, I also changed the line 

 

destination df_meraki { file("/var/log/meraki.log"); };

 

to

 

destination df_meraki { udp("127.0.0.1" port(25224)); };

 

I found an MS article detailing how to configure syslogs for Azure monitor which pointed me to this line change

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

MerryAki
Getting noticed

Anyone could give me some more troubleshooting hint on this?

I configured my mx and switched to send syslogs to the VM, confirmed it with wireshark, netstat -ano and tcpdump.

So what kind of events will be redirected to Microsoft Sentinel?

I can even see the sentinel heartbeat in the query.

 

anything I mixed up?

My VM utilizes Debian, but that shouldn’t be an issue.

MerryAki
Getting noticed

This is the tcpdump on my VM:

root@LogAnalytics:~# tcpdump -i ens3 port 514
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:27:04.404979 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 171
18:27:04.405020 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 163
18:27:04.405029 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 158
18:27:04.405032 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 158

So this seems to work, but in the Microsoft sentinel panel i got nothing but the Heartbeat:

MerryAki_0-1649435427108.png

This is my config.

/etc/opt/microsoft/omsagent/<workspace-id>/conf/omsagent.d/meraki.conf

<source>
  type tcp
  format none
  port 22033
  bind 0.0.0.0
  delimiter "\n"
  tag oms.api.meraki
</source>

<match oms.api.meraki>
  type out_oms_api
  log_level info
  num_threads 5
  omsadmin_conf_path /etc/opt/microsoft/omsagent/<workspace-id>/conf/omsadmin.conf
  cert_path /etc/opt/microsoft/omsagent/<workspace-id>/certs/oms.crt
  key_path /etc/opt/microsoft/omsagent/<workspace-id>/certs/oms.key
  buffer_chunk_limit 10m
  buffer_type file
  buffer_path /var/opt/microsoft/omsagent/<workspace-id>/state/out_oms_api_meraki*.buffer
  buffer_queue_limit 10
  buffer_queue_full_action drop_oldest_chunk
  flush_interval 30s
  retry_limit 10
  retry_wait 30s
  max_retry_wait 9m
</match>

/etc/rsyslog.d/10-meraki.conf

if $rawmsg contains "flows" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "urls" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "ids-alerts" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "events" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "ip_flow_start" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "ip_flow_end" then @@127.0.0.1:22033;meraki& stop

And last but not least the first lines of my /etc/rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Meraki custom stufF
$template meraki,"%timestamp% %hostname% %msg%\n"


What am i missing?
I am not getting any entries in the "meraki_CL" table.

Thanks 🙂

This is my logger config in the meraki dashboard:

MerryAki_1-1649436070425.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.