Meraki

Community

Is anyone pulling Firewall hits from the MX syslog output

Solved
PaulHenry
Here to help
‎Apr 29 2019 6:40 AM
‎Apr 29 2019 6:40 AM

Is anyone pulling Firewall hits from the MX syslog output

I am pulling firewall hits out of of the syslog output and then loading to Excel for analysis.

 

The MX logs go to a Linux syslog server and then I use awk to process and format the hits on the rules.

 

I plan to summarize the results and send it out via email to our security team.

 

This is really helpful when we get a call asking if the firewall is blocking traffic.  I can quickly tell whether they are hitting a rule, and which rule they are hitting.

 

Is anyone doing anything like this?

 

 

1 Accepted Solution
In response to NolanHerring
Haydn
Getting noticed
‎Apr 30 2019 2:44 AM
‎Apr 30 2019 2:44 AM

@NolanHerring 

 

This pic doesn't have have the firewall hits but you get the jist (has other MX logs)...

 

LogRhythm.JPG

 

You can change the charts to other chart types if that takes your fancy and you can put any data into the charts that the log contains. LogRhythm has built in parsing for the Meraki Syslog so that's convenient! 

You can also generate reports as you'd expect which would look like @PaulHenry's or add the charts to it.

View solution in original post

8 Replies 8
Haydn
Getting noticed
‎Apr 29 2019 6:43 AM
‎Apr 29 2019 6:43 AM

We just output ours to our SIEM solution (LogRhythm) which then displays the data nicely

In response to Haydn
PaulHenry
Here to help
‎Apr 29 2019 6:51 AM
‎Apr 29 2019 6:51 AM

Haydn,  Thanks for the quick reply.

 

This a sample of the output that I get from my scripts.  Can you get something similar from LogRhythm?  It took me some time to figure out how to cut the correct columns from the syslog output.

 

countprotocolSource IPDest IPDest Portallow/denyRule
69protocol=tcpsrc=10.1.100.134dst=10.1.201.101dport=8443allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.100.0/24)
13811protocol=tcpsrc=10.1.200.10dst=10.1.201.100dport=8080allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24)
5315protocol=tcpsrc=10.1.200.10dst=10.1.201.101dport=8443allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24)
In response to Haydn
NolanHerring
Kind of a big deal
‎Apr 29 2019 6:54 AM
‎Apr 29 2019 6:54 AM

@Haydn 

Which syslog output is it for seeing that? Security Events?
Also, could you provide a picture of what that looks like? Curious 😃

Thanks !

Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
PaulHenry
Here to help
‎Apr 29 2019 7:18 AM
‎Apr 29 2019 7:18 AM

@NolanHerring 

This is a line of output from the MX250 log:

2019-04-29T10:13:45.512222-04:00 alb-mx250 1556547225.512287760 MENANDS_MX1 flows src=10.2.100.24 dst=10.1.100.144 mac=A0:3D:6F:C7:
70:11 protocol=tcp sport=60935 dport=80 pattern: allow (dst 10.1.3.0/24 || dst 10.1.5.0/24 || dst 10.1.10.0/24 || dst 10.1.100.0/24
|| dst 10.1.250.0/24 || dst 10.2.100.0/24 || dst 10.3.100.0/24) && (src 10.1.3.0/24 || src 10.1.5.0/24 || src 10.1.10.0/24 || src 10
.1.100.0/24 || src 10.1.250.0/24 || src 10.2.100.0/24 || src 10.3.100.0/24)

 

I parse, chop and summarize this into a report.

0 Kudos
In response to NolanHerring
Haydn
Getting noticed
‎Apr 30 2019 2:44 AM
‎Apr 30 2019 2:44 AM

@NolanHerring 

 

This pic doesn't have have the firewall hits but you get the jist (has other MX logs)...

 

LogRhythm.JPG

 

You can change the charts to other chart types if that takes your fancy and you can put any data into the charts that the log contains. LogRhythm has built in parsing for the Meraki Syslog so that's convenient! 

You can also generate reports as you'd expect which would look like @PaulHenry's or add the charts to it.

In response to Haydn
PaulHenry
Here to help
‎Apr 30 2019 4:53 AM
‎Apr 30 2019 4:53 AM

Wow!  That looks great.  I enjoy using my 30-year-old awk, grep and regex skills, but I want to put something more robust in place.  I will look at LogRhythm.

 

One last question:  Where do you store your logs?

 

Thanks,

 

 

0 Kudos
In response to PaulHenry
Haydn
Getting noticed
‎Apr 30 2019 5:45 AM
‎Apr 30 2019 5:45 AM

Our LogRhythm appliance is physical so all logs get sent to that 🙂 

0 Kudos
hockeydude
Getting noticed
‎Apr 29 2019 10:54 AM
‎Apr 29 2019 10:54 AM

splunk

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.