Skip to content

Instantly share code, notes, and snippets.

@bboy8012

bboy8012/40-filter-meraki.conf

Created November 14, 2018 16:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bboy8012/33552388254c087238dbc70017e3d283 to your computer and use it in GitHub Desktop.
Save bboy8012/33552388254c087238dbc70017e3d283 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
40-filter-meraki.conf
filter {
if "Meraki" in [tags] {
if [log_type] == "flows" {
grok {
match => ["message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (sport=)%{POSINT:sport} (dport=)%{POSINT:dport} (pattern: )%{WORD:allowed} %{WORD}",
"message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (type=)%{POSINT:tport} (pattern: )%{WORD:allowed} %{WORD}"
]
remove_field => [ "syslog5424_pri", "@version" ]
}#end [log_type] == flows grok
mutate {
# remove_field => [ "host"]
# for inbound flows, sometimes 0 and 1 are used for "allowed". this statement will replace them
gsub => [
"allowed", "1", "denied",
"allowed", "0", "allowed"
]
# severity informational
add_field => {"syslog_pri" => "6"}
}#end mutate{} grok{}
}#end flows [log_type]
else {
mutate{
add_field => { "parsing_problem" => "unfamiliar cisco-meraki log_type." }
}#end else{} mutate{}
}#end else{}
}#end Meraki in [tags]
mutate {
add_tag => ["cisco-meraki"]
# add_field => { "token" => "YgrLvkLORuxkDCmObbnhjxGAeVYutPKg" }
}#end final mutate
}#end filter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment