Skip to content

Commit

Permalink
Support Cisco Meraki (#150)
Browse files Browse the repository at this point in the history
  • Loading branch information
Ryan Faircloth authored and GitHub committed Oct 15, 2019
1 parent 6c6fb2a commit 2fb4009
Show file tree
Hide file tree
Showing 16 changed files with 174 additions and 99 deletions.
1 change: 1 addition & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ services:
RH_ORG: ${RH_ORG}
RH_ACTIVATION: ${RH_ACTIVATION}
hostname: sc4s
command: -det
ports:
- "514:514"
- "601:601"
Expand Down
57 changes: 50 additions & 7 deletions docs/sources.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,7 @@ MSG Parse: This filter parses message content

* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source.
* Follow vendor configuration steps per Product Manual above ensure:
* Log Level is 6 "Informational"
* Protocol is TCP/IP
* permit-hostdown is on
* device-id is hostname and included
* timestamp is included
* Follow vendor configuration steps per Product Manual above

### Options

Expand Down Expand Up @@ -107,7 +102,7 @@ MSG Parse: This filter parses message content

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_JUNIPER_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format |
| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format |
| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format |

### Verification
Expand Down Expand Up @@ -189,6 +184,54 @@ Use the following search to validate events are present, for NX-OS, WLC and ACI
index=<asconfigured> sourcetype=cisco:ios | stats count by host
```

## Product - Meraki Product Line MR, MS, MX, MV

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/3018/ |
| Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| merkai | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes |


### Filter type

IP, Netmask, Host or Port

### Setup and Configuration

* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source.
* Follow vendor configuration steps per Product Manual above

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format |
| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format |

### Verification

Use the following search to validate events are present

```
index=<asconfigured> sourcetype=merkai
```

Verify timestamp, and host values match as expected


Verify timestamp, and host values match as expected

Expand Down
9 changes: 9 additions & 0 deletions package/etc/conf.d/conflib/_common/syslog_format.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ filter f_rfc5424_strict{
filter f_rfc5424_noversion{
message('^(?<SYSLOGMSG>(?<HEADER>(?<PRI><\d{1,3}>) ?(?<TIMESTAMP>(?<FULLDATE>(?<FULLDATEYEAR>\d{4})-(?<FULLDATEMONTH>\d\d)-(?<FULLDATEDAY>\d\d))T(?<FULLTIME>(?<PARTIALTIME>(?<TIMEHOUR>[0-2]\d):(?<TIMEMINUTE>[0-5]\d):(?<TIMESECOND>[0-5]\d)(?:.(?<TIMESECFRAC>\d{1,6}))?)(?<TIMEOFFSET>Z|(?<TIMENUMOFFSET>[+\-][0-2]\d:[0-5]\d))))))');
};
filter f_rfc5424_epochtime{
message('^(?<SYSLOGMSG>(?<HEADER>(?<PRI><\d{1,3}>)(?<VERSION>[1-9][0-9]?) (?<TIMESTAMP>(?<EPOCH>\d{10})(?:.(?<TIMESECFRAC>\d{1,9})?)) (?<FROMHOST>[^ ]+) ))');
};
rewrite set_rfcnonconformant{
set("rfc5424_nonconform" value("fields.sc4s_syslog_format"));
};
Expand All @@ -19,6 +22,12 @@ rewrite set_rfc5424_noversion{
filter f_is_rfc5424_noversion{
match("rfc5424_noversion" value("fields.sc4s_syslog_format"))
};
rewrite set_rfc5424_epochtime{
set("rfc5424_epochtime" value("fields.sc4s_syslog_format"));
};
filter f_is_rfc5424_epochtime{
match("rfc5424_epochtime" value("fields.sc4s_syslog_format"))
};
rewrite set_rfc3164{
set("rfc3164" value("fields.sc4s_syslog_format"));
};
Expand Down
22 changes: 22 additions & 0 deletions package/etc/conf.d/filters/cisco/meraki.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Meraki

filter f_cisco_meraki {
match("cisco_meraki", value("fields.sc4s_vendor_product") type(glob))
};

parser p_cisco_meraki {
channel {
filter {
match(
#'(?<SYSLOGMSG>(?<HEADER>(?<PRI><\d{1,3}>)(?<VERSION>[1-9][0-9]?) (?<TIMESTAMP>(?<EPOCH>\d{10})(?:.(?<TIMESECFRAC>\d{1,9})?)) (?<HOST>[^ ]+ )(?<MESSAGE>.*))'
'(?:(?:<(?<PRI>\d{1,3})>(?<VERSION>[1-9][0-9]?) (?:(?<EPOCH>\d{10})(?:.(?<TIMESECFRAC>\d{1,9})?)) (?<HOST>[^ ]+) )(?<MESSAGE>.*))'
flags(store-matches)
);
};
parser {
date-parser(format('%s')
template("${EPOCH}"));
};
};

};
1 change: 1 addition & 0 deletions package/etc/conf.d/local/context/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This file exists to preserve the path for plugin use

This file was deleted.

This file was deleted.

40 changes: 0 additions & 40 deletions package/etc/conf.d/local/context/splunk_index.csv

This file was deleted.

37 changes: 0 additions & 37 deletions package/etc/conf.d/local/context/vendor_product_by_source.conf

This file was deleted.

8 changes: 0 additions & 8 deletions package/etc/conf.d/local/context/vendor_product_by_source.csv

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Checkpoint Splunk format
{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT") "no") "no") }}
{{ $context := dict "port_id" "CISCO_MERAKI" "parser" "common" }}
{{ tmpl.Exec "t/source_network.t" $context }}
{{- end -}}
{{ define "log_path" }}
log {
{{- if eq (.) "yes"}}
source(s_default-ports);
filter(f_cisco_meraki);
{{- end}}
{{- if eq (.) "no"}}
source (s_dedicated_port_CISCO_MERAKI);
{{- end}}

#parser {
# kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}"));
# date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}));
#
# };

#rewrite { set("${.kv.hostname}", value("HOST")); };

rewrite { r_set_splunk_dest_default(sourcetype("meraki"), index("netfw"), template("t_hdr_msg"))};
parser {p_add_context_splunk(key("cisco_meraki")); };



parser (compliance_meta_by_source);

destination(d_hec); #--HEC--

flags(flow-control);
};
{{- end}}
{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT") "no") "no") }}
# Listen on the specified dedicated port(s) for CISCO_MERAKI traffic
{{ tmpl.Exec "log_path" "no" }}
{{- end}}

# Listen on the default port (typically 514) for CISCO_MERAKI traffic
{{ tmpl.Exec "log_path" "yes" }}
3 changes: 3 additions & 0 deletions package/etc/conf.d/sources/network.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,9 @@ source s_default-ports {
} elif {
parser {cisco-parser()};
rewrite(set_cisco_ios);
} elif {
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
} else {
parser {
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message));
Expand Down
4 changes: 4 additions & 0 deletions package/etc/context_templates/vendor_product_by_source.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
@version: 3.24

filter f_cisco_meraki {
host("testcm-*" type(glob)) or
netmask(192.168.100.1/24)
};
filter f_test_test {
host("testvp-*" type(glob)) or
netmask(192.168.100.1/24)
Expand Down
1 change: 1 addition & 0 deletions package/etc/context_templates/vendor_product_by_source.csv
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
f_test_test,sc4s_vendor_product,"test_test"
f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
f_juniper_nsm,sc4s_vendor_product,"juniper_nsm"
f_juniper_nsm_idp,sc4s_vendor_product,"juniper_nsm_idp"
f_juniper_idp,sc4s_vendor_product,"juniper_idp"
Expand Down
6 changes: 6 additions & 0 deletions package/etc/go_templates/source_network.t
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ source s_dedicated_port_{{ .port_id}} {
{{- else if eq .parser "cisco_parser" }}
parser {cisco-parser()};
rewrite(set_cisco_ios);
{{- else if eq .parser "cisco_meraki_parser" }}
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
{{- else if eq .parser "rfc3164" }}
parser {
syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message));
Expand All @@ -96,6 +99,9 @@ source s_dedicated_port_{{ .port_id}} {
} elif {
parser {cisco-parser()};
rewrite(set_cisco_ios);
} elif {
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
} else {
parser {
syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message));
Expand Down
35 changes: 35 additions & 0 deletions tests/test_cisco_meraki.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Copyright 2019 Splunk, Inc.
#
# Use of this source code is governed by a BSD-2-clause-style
# license that can be found in the LICENSE-BSD2 file or at
# https://opensource.org/licenses/BSD-2-Clause
import random

from jinja2 import Environment

from .sendmessage import *
from .splunkutils import *

env = Environment(extensions=['jinja2_time.TimeExtension'])

#<134>1 1563249630.774247467 devicename security_event ids_alerted signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection
def test_cisco_meraki_security_event(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string(
"{{ mark }}1 {% now 'utc', '%s' %}.123456789 testcm-{{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={% now 'utc', '%s' %}.123456 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n")
message = mt.render(mark="<134>", host=host)

sendsingle(message)

st = env.from_string("search index=netfw host=\"testcm-{{ host }}\" sourcetype=\"meraki\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1
#<134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up

0 comments on commit 2fb4009

Please sign in to comment.