Splunk Enterprise Security

Meraki Syslog events to TA-meraki are not showing up in ESS

brian1_tate
Path Finder

Myron,

Thank you for taking the time to put into this TA. It's appears to be really useful with the way that Meraki combines so much from the firehose in syslog. I'm having some similar issues as to described above. From a fresh install of 6.6, I installed my dev license and created a new index "meraki". I then forced the source type to be "meraki".

I then installed the TA and opened 1514 UDP, then I went into the Meraki dashboard and forwarded syslog events to the Splunk instance. However, if I just search for index=meraki then I get results, I do not however see different event types and I cannot search for tags "attack" or "ids" according to CIM.

Am I missing something here (this is just a dev lab for ESS and testing a few add-on's)?

Myron or anyone else have any thoughts? I have no other syslog data going into the Windows host, all of that is Rest API or universal forwarders. I could use any suggestions anyone might have because I'm not doing a local pickup of files like the TA has documented.

0 Karma
1 Solution

brian1_tate
Path Finder

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

View solution in original post

0 Karma

brian1_tate
Path Finder

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

0 Karma

brian1_tate
Path Finder

Hi myron.davis,

Thanks for your reply and my apologies as I have been working security operations rather than engineering in my lab for some time. I do have this installed and its a single instance with full features available. Recently, I stood up a new instance and sent the same data again as before. This time in Splunk 6.6.6 and the previous release of ES not v5, I installed the latest CIM and the events are being parsed but are not aligning to the CIM properly. Is this a known issue, what can I check against the latest CIM and Splunk ESS to ensure that flows, ids and what not are being mapped and tagged correctly?

0 Karma

myron_davis
Path Finder

I'm unfortunateily (still) not getting notified when people add comments in regard to this app.

They should be mapped/tagged and aligned properly.

Any chance you could send me a sample log to my email address so I could import it into a test index on my system?

0 Karma

myron_davis
Path Finder

I would like to apologize; I never saw this message. Looks like spam control grabbed it.

TA-meraki must to be installed on the search head. It is optional to install on the indexer. (I didn't see where you explicitly said you installed it on the search head... just on the indexer).

I'd like to verify a few things. When you do a index=meraki you say the data is there correct? And it is also listed as sourcetype=meraki correct? And when you search you do not have "fast mode on", you have smart mode or verbose mode on correct?

Additionally in Enterprise Security you MUST have acceleration enabled for the relevant data models. (was that done?)

This shouldn't matter but are you running the latest version of TA-meraki?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...