Splunk Enterprise Security

Meraki Syslog events to TA-meraki are not showing up in ESS

Path Finder

Myron,

Thank you for taking the time to put into this TA. It's appears to be really useful with the way that Meraki combines so much from the firehose in syslog. I'm having some similar issues as to described above. From a fresh install of 6.6, I installed my dev license and created a new index "meraki". I then forced the source type to be "meraki".

I then installed the TA and opened 1514 UDP, then I went into the Meraki dashboard and forwarded syslog events to the Splunk instance. However, if I just search for index=meraki then I get results, I do not however see different event types and I cannot search for tags "attack" or "ids" according to CIM.

Am I missing something here (this is just a dev lab for ESS and testing a few add-on's)?

Myron or anyone else have any thoughts? I have no other syslog data going into the Windows host, all of that is Rest API or universal forwarders. I could use any suggestions anyone might have because I'm not doing a local pickup of files like the TA has documented.

0 Karma
1 Solution

Path Finder

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

View solution in original post

0 Karma

Path Finder

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

View solution in original post

0 Karma

Path Finder

Hi myron.davis,

Thanks for your reply and my apologies as I have been working security operations rather than engineering in my lab for some time. I do have this installed and its a single instance with full features available. Recently, I stood up a new instance and sent the same data again as before. This time in Splunk 6.6.6 and the previous release of ES not v5, I installed the latest CIM and the events are being parsed but are not aligning to the CIM properly. Is this a known issue, what can I check against the latest CIM and Splunk ESS to ensure that flows, ids and what not are being mapped and tagged correctly?

0 Karma

Path Finder

I'm unfortunateily (still) not getting notified when people add comments in regard to this app.

They should be mapped/tagged and aligned properly.

Any chance you could send me a sample log to my email address so I could import it into a test index on my system?

0 Karma

Path Finder

I would like to apologize; I never saw this message. Looks like spam control grabbed it.

TA-meraki must to be installed on the search head. It is optional to install on the indexer. (I didn't see where you explicitly said you installed it on the search head... just on the indexer).

I'd like to verify a few things. When you do a index=meraki you say the data is there correct? And it is also listed as sourcetype=meraki correct? And when you search you do not have "fast mode on", you have smart mode or verbose mode on correct?

Additionally in Enterprise Security you MUST have acceleration enabled for the relevant data models. (was that done?)

This shouldn't matter but are you running the latest version of TA-meraki?

0 Karma