KQL Search

Query Details

HomeAI ToolsDevice Query

Meraki Conf2

Query

input {
file {
    path => "/var/log/meraki.log"
  }
}
filter{		
	grok {
		#---urls---
		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:devicename} %{WORD:type} src=%{IP:src_ip}:%{INT:src_port} dst=%{IP:dst_ip}:%{INT:dst_port} mac=%{MAC:mac_address} request: %{WORD:request_type} %{URI:uri}"] 		

		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:devicename} %{WORD:type} src=%{IP:src_ip}:%{INT:src_port} dst=%{IP:dst_ip}:%{INT:dst_port} mac=%{MAC:mac_address} agent=%{WORD:agent} request: %{WORD:request_type} %{URI:uri}"]

                match => [ "message", "%%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host} %{BASE16FLOAT:epoch_time} %{WORD:devicename} %{WORD:type} src=%{IP:src_ip}:%{INT:src_port} dst=%{IP:dst_ip}:%{INT:dst_port} mac=%{MAC:mac_address} agent='%{GREEDYDATA:agent}' request: %{WORD:request_type} %{URI:uri}"]
		
		#---
		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} sport=%{INT:src_port} dport=%{INT:dst_port} translated_src_ip=%{IP:translated_src_ip} translated_port=%{INT:translated_port}"]

 		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} sport=%{INT:src_port} dport=%{INT:dst_port} translated_dst_ip=%{IP:translated_dst_ip} translated_port=%{INT:translated_port}"]

 		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} translated_dst_ip=%{IP:translated_dst_ip}"]

		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} translated_src_ip=%{IP:translated_src_ip}"]

		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:devicename} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} sport=%{INT:src_port} dport=%{INT:dst_port} pattern: %{GREEDYDATA:pattern}"]


 		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:devicename} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} mac=%{MAC:mac_address} protocol=%{WORD:protocol} sport=%{INT:src_port} dport=%{INT:dst_port} pattern: %{GREEDYDATA:pattern}"]

		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:devicename} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} mac=%{MAC:mac_address} protocol=%{WORD:protocol} type=%{INT:protocol_type} pattern: %{GREEDYDATA:pattern}"]

		match => [ "message", "%{CISCOTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{BASE16FLOAT:epoch_time} %{WORD:devicename} %{WORD:type} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} type=%{INT:protocol_type} pattern: %{GREEDYDATA:pattern}"]

		match => ["message", "%{SYSLOGTIMESTAMP:ciscotimestamp} %{SYSLOGHOST:host}  %{NUMBER:epoch_time} %{WORD:hostname} (?<log_type>[a-zA-Z0-9\-]+)([ ])?%{GREEDYDATA:contents}"]
		overwrite => "host"
    	}
    	mutate {
      		add_field => { "device_type" => "cisco-meraki" }
    	}
date {
    match => [ "epoch_time","UNIX" ]
    target => "@timestamp"
    remove_field => [ "ciscotimestamp" ]
    remove_field => [ "epoch_time" ]
}
}
output {
	microsoft-logstash-output-azure-loganalytics {

	        workspace_id => "<yourID>"
        	workspace_key => "<yourWorkspace"
	        custom_log_table_name => "CiscoMeraki"
		key_names => ['host','devicename','type','hostname','src_ip','log_type','contents','dst_ip','src_port','dst_port','protocol','mac_address','request_type','uri','translated_src_ip','translated_dst_ip','pattern','translated_port','agent','message','@timestamp']
    	}
	stdout {}  
}

Explanation

The query is processing a log file from a Cisco Meraki device. It uses the grok filter to extract specific fields from the log message, such as timestamp, host, device name, IP addresses, ports, MAC address, request type, and URI. It also matches different patterns for different types of log messages. The mutate filter adds a field indicating the device type as "cisco-meraki". The date filter converts the epoch time to a human-readable timestamp. Finally, the output is sent to Microsoft Azure Log Analytics and also displayed on the console.

Details

Rod Trent profile picture

Rod Trent

Released: November 12, 2020

Tables

CiscoMeraki

Keywords

Keywords:Devices,Intune,User,KQL,Query,Keywords,Input,File,Path,Filter,Grok,Match,Message,CISCOTIMESTAMP,SYSLOGHOST,BASE16FLOAT,WORD,devicename,type,src_ip,src_port,dst_ip,dst_port,MAC,mac_address,request_type,URI,agent,epoch_time,protocol,sport,dport,translated_src_ip,translated_port,translated_dst_ip,pattern,hostname,log_type,contents,overwrite,mutate,add_field,device_type,date,UNIX,target,@timestamp,remove_field,output,microsoft-logstash-output-azure-loganalytics,workspace_id,workspace_key,custom_log_table_name,key_names,host,message.

Operators

=>{}[]()%:==>===~+-*/><>=<=!=||&&notandormatchadd_fieldremove_fieldtargetoverwrite

Actions