Meraki

Greg2 · ‎Sep 2 2020

I'm not able to get Syslogs from my Meraki MX100 into Azure Sentinel

I've setup a VM on my LAN and installed the Azure agent. I can see hearbeat messages from the agent into Azure.

I've configured the Meraki to send all available syslog messages to the VM but I can't see those messages in Azure.

Does anyone have any experience in getting syslogs into Azure Sentinel?

Greg2 · ‎Sep 3 2020

I've managed to get this working

I followed your suggestion of replacing rsyslog with syslog-ng. I'm not conviced this was required but hey..

It seems I was sending the syslog data to a log file when I needed to send it to the Azure agent listening on port 25224 on the local machine

As well as adding the details listed under Option 1 in the syslog-ng article you linked to, I also changed the line

destination df_meraki { file("/var/log/meraki.log"); };

to

destination df_meraki { udp("127.0.0.1" port(25224)); };

I found an MS article detailing how to configure syslogs for Azure monitor which pointed me to this line change

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

View solution in original post

CptnCrnch · ‎Sep 2 2020

First and foremost: are messages received on the agent?

Greg2 · ‎Sep 2 2020

Thanks for replying

I don't know how to tell. I've installed the agent on Ubunutu

Greg2 · ‎Sep 2 2020

ok - this is a snippet from /var/logs/syslog

Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.7976] dhcp4 (ens160): option dhcp_lease_time => '86400'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option domain_name_servers => '<IP_redacted>'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option expiry => '1599089654'
Sep 2 00:34:14 SYSLOG NetworkManager[614]: <info> [1599003254.8460] dhcp4 (ens160): option ip_address => '<IP_redacted>'

Does this mean that meraki messages are reaching the agent?

SoCalRacer · ‎Sep 2 2020

It would be really nice to have some official Meraki documentation on this and other cloud options for syslog storage.

From my understanding you may need to allow port 514 on the NSG on the VM in Azure.

Greg2 · ‎Sep 2 2020

I'm using an on-prem VM

SoCalRacer · ‎Sep 2 2020

I thought the intent from MS was that the VM was supposed to be in Azure and that handled the queue of events and then pushed them to Sentinel

https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-the-connectors-grand-cef-syslog...

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

URL
Any HTTP GET requests will generate a syslog entry.

 

Example:

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

Greg2 · ‎Sep 2 2020

When configuring a SYSLOG data source in Azure you get the option to install on a non Azure machine

Greg2 · ‎Sep 2 2020

I' ve discovered I'm using rsyslogd but having issues configuring the service to accept messages from the Meraki

Does anyone know how to do this?

SoCalRacer · ‎Sep 2 2020

If possible to switch to syslog-ng, then you can try this.

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

If not this should be a good start for rsyslog

https://firegenanalytics.com/2018/02/configuring-rsyslog-to-split-the-logs-by-device-ip-and-rotate-t...

Greg2 · ‎Sep 3 2020

I've managed to get this working

I followed your suggestion of replacing rsyslog with syslog-ng. I'm not conviced this was required but hey..

It seems I was sending the syslog data to a log file when I needed to send it to the Azure agent listening on port 25224 on the local machine

As well as adding the details listed under Option 1 in the syslog-ng article you linked to, I also changed the line

destination df_meraki { file("/var/log/meraki.log"); };

to

destination df_meraki { udp("127.0.0.1" port(25224)); };

I found an MS article detailing how to configure syslogs for Azure monitor which pointed me to this line change

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

MerryAki · ‎Apr 8 2022

Anyone could give me some more troubleshooting hint on this?

I configured my mx and switched to send syslogs to the VM, confirmed it with wireshark, netstat -ano and tcpdump.

So what kind of events will be redirected to Microsoft Sentinel?

I can even see the sentinel heartbeat in the query.

anything I mixed up?

My VM utilizes Debian, but that shouldn’t be an issue.

MerryAki · ‎Apr 8 2022

This is the tcpdump on my VM:

root@LogAnalytics:~# tcpdump -i ens3 port 514
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:27:04.404979 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 171
18:27:04.405020 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 163
18:27:04.405029 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 158
18:27:04.405032 IP my.meraki.net.48496 > LogAnalytics.syslog: SYSLOG local0.info, length: 158

So this seems to work, but in the Microsoft sentinel panel i got nothing but the Heartbeat:

This is my config.

/etc/opt/microsoft/omsagent/<workspace-id>/conf/omsagent.d/meraki.conf

<source>
  type tcp
  format none
  port 22033
  bind 0.0.0.0
  delimiter "\n"
  tag oms.api.meraki
</source>

<match oms.api.meraki>
  type out_oms_api
  log_level info
  num_threads 5
  omsadmin_conf_path /etc/opt/microsoft/omsagent/<workspace-id>/conf/omsadmin.conf
  cert_path /etc/opt/microsoft/omsagent/<workspace-id>/certs/oms.crt
  key_path /etc/opt/microsoft/omsagent/<workspace-id>/certs/oms.key
  buffer_chunk_limit 10m
  buffer_type file
  buffer_path /var/opt/microsoft/omsagent/<workspace-id>/state/out_oms_api_meraki*.buffer
  buffer_queue_limit 10
  buffer_queue_full_action drop_oldest_chunk
  flush_interval 30s
  retry_limit 10
  retry_wait 30s
  max_retry_wait 9m
</match>

/etc/rsyslog.d/10-meraki.conf

if $rawmsg contains "flows" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "urls" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "ids-alerts" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "events" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "ip_flow_start" then @@127.0.0.1:22033;meraki& stop
if $rawmsg contains "ip_flow_end" then @@127.0.0.1:22033;meraki& stop

And last but not least the first lines of my /etc/rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Meraki custom stufF
$template meraki,"%timestamp% %hostname% %msg%\n"

What am i missing?
I am not getting any entries in the "meraki_CL" table.

Thanks 🙂

MerryAki · ‎Apr 8 2022

This is my logger config in the meraki dashboard:

Meraki

Community

Connect Cisco MX100 Syslogs to Azure Sentinel

Connect Cisco MX100 Syslogs to Azure Sentinel