Is anyone pulling Firewall hits from the MX syslog output

Solved
PaulHenry
Here to help

Is anyone pulling Firewall hits from the MX syslog output

I am pulling firewall hits out of of the syslog output and then loading to Excel for analysis.

 

The MX logs go to a Linux syslog server and then I use awk to process and format the hits on the rules.

 

I plan to summarize the results and send it out via email to our security team.

 

This is really helpful when we get a call asking if the firewall is blocking traffic.  I can quickly tell whether they are hitting a rule, and which rule they are hitting.

 

Is anyone doing anything like this?

 

 

1 Accepted Solution
Haydn
Getting noticed

@NolanHerring 

 

This pic doesn't have have the firewall hits but you get the jist (has other MX logs)...

 

LogRhythm.JPG

 

You can change the charts to other chart types if that takes your fancy and you can put any data into the charts that the log contains. LogRhythm has built in parsing for the Meraki Syslog so that's convenient! 

You can also generate reports as you'd expect which would look like @PaulHenry's or add the charts to it.

View solution in original post

8 Replies 8
Haydn
Getting noticed

We just output ours to our SIEM solution (LogRhythm) which then displays the data nicely

PaulHenry
Here to help

Haydn,  Thanks for the quick reply.

 

This a sample of the output that I get from my scripts.  Can you get something similar from LogRhythm?  It took me some time to figure out how to cut the correct columns from the syslog output.

 

countprotocolSource IPDest IPDest Portallow/denyRule
69protocol=tcpsrc=10.1.100.134dst=10.1.201.101dport=8443allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.100.0/24)
13811protocol=tcpsrc=10.1.200.10dst=10.1.201.100dport=8080allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24)
5315protocol=tcpsrc=10.1.200.10dst=10.1.201.101dport=8443allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24)
NolanHerring
Kind of a big deal

@Haydn 

Which syslog output is it for seeing that? Security Events?
Also, could you provide a picture of what that looks like? Curious 😃

Thanks !

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PaulHenry
Here to help

@NolanHerring 

This is a line of output from the MX250 log:

2019-04-29T10:13:45.512222-04:00 alb-mx250 1556547225.512287760 MENANDS_MX1 flows src=10.2.100.24 dst=10.1.100.144 mac=A0:3D:6F:C7:
70:11 protocol=tcp sport=60935 dport=80 pattern: allow (dst 10.1.3.0/24 || dst 10.1.5.0/24 || dst 10.1.10.0/24 || dst 10.1.100.0/24
|| dst 10.1.250.0/24 || dst 10.2.100.0/24 || dst 10.3.100.0/24) && (src 10.1.3.0/24 || src 10.1.5.0/24 || src 10.1.10.0/24 || src 10
.1.100.0/24 || src 10.1.250.0/24 || src 10.2.100.0/24 || src 10.3.100.0/24)

 

I parse, chop and summarize this into a report.

Haydn
Getting noticed

@NolanHerring 

 

This pic doesn't have have the firewall hits but you get the jist (has other MX logs)...

 

LogRhythm.JPG

 

You can change the charts to other chart types if that takes your fancy and you can put any data into the charts that the log contains. LogRhythm has built in parsing for the Meraki Syslog so that's convenient! 

You can also generate reports as you'd expect which would look like @PaulHenry's or add the charts to it.

PaulHenry
Here to help

Wow!  That looks great.  I enjoy using my 30-year-old awk, grep and regex skills, but I want to put something more robust in place.  I will look at LogRhythm.

 

One last question:  Where do you store your logs?

 

Thanks,

 

 

Haydn
Getting noticed

Our LogRhythm appliance is physical so all logs get sent to that 🙂 

hockeydude
Getting noticed

splunk

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels