cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is anyone pulling Firewall hits from the MX syslog output

SOLVED
Here to help

Is anyone pulling Firewall hits from the MX syslog output

I am pulling firewall hits out of of the syslog output and then loading to Excel for analysis.

 

The MX logs go to a Linux syslog server and then I use awk to process and format the hits on the rules.

 

I plan to summarize the results and send it out via email to our security team.

 

This is really helpful when we get a call asking if the firewall is blocking traffic.  I can quickly tell whether they are hitting a rule, and which rule they are hitting.

 

Is anyone doing anything like this?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Getting noticed

Re: Is anyone pulling Firewall hits from the MX syslog output

@NolanHerring 

 

This pic doesn't have have the firewall hits but you get the jist (has other MX logs)...

 

LogRhythm.JPG

 

You can change the charts to other chart types if that takes your fancy and you can put any data into the charts that the log contains. LogRhythm has built in parsing for the Meraki Syslog so that's convenient! 

You can also generate reports as you'd expect which would look like @PaulHenry's or add the charts to it.

8 REPLIES 8
Getting noticed

Re: Is anyone pulling Firewall hits from the MX syslog output

We just output ours to our SIEM solution (LogRhythm) which then displays the data nicely

Here to help

Re: Is anyone pulling Firewall hits from the MX syslog output

Haydn,  Thanks for the quick reply.

 

This a sample of the output that I get from my scripts.  Can you get something similar from LogRhythm?  It took me some time to figure out how to cut the correct columns from the syslog output.

 

countprotocolSource IPDest IPDest Portallow/denyRule
69protocol=tcpsrc=10.1.100.134dst=10.1.201.101dport=8443allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.100.0/24)
13811protocol=tcpsrc=10.1.200.10dst=10.1.201.100dport=8080allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24)
5315protocol=tcpsrc=10.1.200.10dst=10.1.201.101dport=8443allowtcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24)
Kind of a big deal

Re: Is anyone pulling Firewall hits from the MX syslog output

@Haydn 

Which syslog output is it for seeing that? Security Events?
Also, could you provide a picture of what that looks like? Curious 😃

Thanks !

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Here to help

Re: Is anyone pulling Firewall hits from the MX syslog output

@NolanHerring 

This is a line of output from the MX250 log:

2019-04-29T10:13:45.512222-04:00 alb-mx250 1556547225.512287760 MENANDS_MX1 flows src=10.2.100.24 dst=10.1.100.144 mac=A0:3D:6F:C7:
70:11 protocol=tcp sport=60935 dport=80 pattern: allow (dst 10.1.3.0/24 || dst 10.1.5.0/24 || dst 10.1.10.0/24 || dst 10.1.100.0/24
|| dst 10.1.250.0/24 || dst 10.2.100.0/24 || dst 10.3.100.0/24) && (src 10.1.3.0/24 || src 10.1.5.0/24 || src 10.1.10.0/24 || src 10
.1.100.0/24 || src 10.1.250.0/24 || src 10.2.100.0/24 || src 10.3.100.0/24)

 

I parse, chop and summarize this into a report.

Conversationalist

Re: Is anyone pulling Firewall hits from the MX syslog output

splunk

Getting noticed

Re: Is anyone pulling Firewall hits from the MX syslog output

@NolanHerring 

 

This pic doesn't have have the firewall hits but you get the jist (has other MX logs)...

 

LogRhythm.JPG

 

You can change the charts to other chart types if that takes your fancy and you can put any data into the charts that the log contains. LogRhythm has built in parsing for the Meraki Syslog so that's convenient! 

You can also generate reports as you'd expect which would look like @PaulHenry's or add the charts to it.

Here to help

Re: Is anyone pulling Firewall hits from the MX syslog output

Wow!  That looks great.  I enjoy using my 30-year-old awk, grep and regex skills, but I want to put something more robust in place.  I will look at LogRhythm.

 

One last question:  Where do you store your logs?

 

Thanks,

 

 

Getting noticed

Re: Is anyone pulling Firewall hits from the MX syslog output

Our LogRhythm appliance is physical so all logs get sent to that 🙂 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.