bboy8012

## output after meraki filter
{
         "@timestamp" => 2018-11-14T16:50:01.080Z,
               "tags" => [
        [0] "Meraki",
        [1] "cisco-meraki"
    ],
            "message" => "<134>1 1542214201.058368310 XX_XXX_MX65W flows src=10.130.1.84 dst=10.158.27.1 protocol=udp sport=58110 dport=161 pattern: allow all",
               "host" => "10.209.27.1",
           "@version" => "1",
    "parsing_problem" => "unfamiliar cisco-meraki log_type."

## 40-filter-meraki.conf
filter {
    if "Meraki" in [tags] {
        if [log_type] == "flows" {
            grok {
                match => ["message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (sport=)%{POSINT:sport} (dport=)%{POSINT:dport} (pattern: )%{WORD:allowed} %{WORD}",
                          "message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (type=)%{POSINT:tport} (pattern: )%{WORD:allowed} %{WORD}"
                ]

                remove_field => [ "syslog5424_pri", "@version" ]
            }#end [log_type] == flows grok

## MX flows
<134>1 1542054623.620528045 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.1 protocol=udp sport=54873 dport=161 pattern: allow all
<134>1 1542054626.601322601 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.5 protocol=udp sport=56930 dport=161 pattern: allow all
<134>1 1542054649.514505350 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.5 protocol=udp sport=65303 dport=161 pattern: allow all
<134>1 1542054649.495042529 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.5 protocol=udp sport=65305 dport=161 pattern: allow all
<134>1 1542054657.813423746 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.1 protocol=udp sport=60730 dport=161 pattern: allow all

## 01-input-syslog.conf
input {
  udp {
    port => 1514
    tags => [ "Cisco_IOS" ]
  }
  udp {
    port => 2514
    tags => [ "Meraki" ]
    #type => "syslog"
  }
	{
	"@timestamp" => 2018-11-14T16:50:01.080Z,
	"tags" => [
	[0] "Meraki",
	[1] "cisco-meraki"
	],
	"message" => "<134>1 1542214201.058368310 XX_XXX_MX65W flows src=10.130.1.84 dst=10.158.27.1 protocol=udp sport=58110 dport=161 pattern: allow all",
	"host" => "10.209.27.1",
	"@version" => "1",
	"parsing_problem" => "unfamiliar cisco-meraki log_type."
	filter {
	if "Meraki" in [tags] {
	if [log_type] == "flows" {
	grok {
	match => ["message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (sport=)%{POSINT:sport} (dport=)%{POSINT:dport} (pattern: )%{WORD:allowed} %{WORD}",
	"message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (type=)%{POSINT:tport} (pattern: )%{WORD:allowed} %{WORD}"
	]

	remove_field => [ "syslog5424_pri", "@version" ]
	}#end [log_type] == flows grok
	<134>1 1542054623.620528045 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.1 protocol=udp sport=54873 dport=161 pattern: allow all
	<134>1 1542054626.601322601 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.5 protocol=udp sport=56930 dport=161 pattern: allow all
	<134>1 1542054649.514505350 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.5 protocol=udp sport=65303 dport=161 pattern: allow all
	<134>1 1542054649.495042529 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.5 protocol=udp sport=65305 dport=161 pattern: allow all
	<134>1 1542054657.813423746 WA_KIR_MX65W flows src=10.130.1.84 dst=10.158.27.1 protocol=udp sport=60730 dport=161 pattern: allow all
	input {
	udp {
	port => 1514
	tags => [ "Cisco_IOS" ]
	}
	udp {
	port => 2514
	tags => [ "Meraki" ]
	#type => "syslog"
	}