Assistance Needed: Configuring Wazuh for Cisco Meraki MXC95 Logs
936 views
Skip to first unread message
Message has been deleted
Levon Gulumian
Apr 10, 2024, 9:22:34 AM4/10/24
to Wazuh | Mailing List
Hello everyone,
I'm relatively new to Wazuh and currently facing some challenges in getting it set up to receive logs from a Cisco Meraki MXC95 device. I've followed the recommendations provided by Cisco Meraki support, which involved setting up a syslog server to gather the logs successfully.
Here is the recommendation link: https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration
However, when attempting to forward these logs from the syslog server to our Wazuh instance by adding the log file locations to the ossec.conf configuration file (/var/ossec/etc/ossec.conf), I haven't been able to get it working. Despite restarting both the Wazuh agent and the Syslog-ng server, I'm not seeing any logs being received in Wazuh.
<localfile>
<location>/var/logmeraki_events.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/meraki_urls.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/meraki_ids-alerts.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/meraki_flows.log</location>
<log_format>syslog</log_format>
</localfile>
I've tried adding a decoder and rule to the configuration file as well, but unfortunately, this hasn't resolved the issue either.
Here's the configuration I've attempted:
The Decoder
===========
<decoder name="meraki">
<prematch>\^\\s\*\\d+\.\\d+\\s\\w+\\s\\w+|\^\\w+\\s\\d+\\s\\d+:\d+:\d+\s\\d+\.\d+\.\d+\.\d+\s\\d\s\\d+\.\d+\s\\w+\s\w+</prematch>
</decoder>
<decoder name="meraki-child">
<parent>meraki</parent>
<regex>\^(\\s*\d+\.\d+)\s(\w+)\s(\w+)</regex>
<order>unix_time,hostname,classification</order>
</decoder>
The Rule
=========
<group name="meraki">
<rule id="100900" level="0">
<decoded_as>meraki</decoded_as>
<description>meraki messages grouped</description>
</rule>
<rule id="100901" level="3">
<if_sid>100900</if_sid>
<field name="classification">events</field>
<description>meraki alerts with $(classification) classification</description>
<group>events,</group>
</rule>
</group>
I'm reaching out to this community for guidance and assistance. If any of you have experience with configuring Wazuh to receive logs from Cisco Meraki devices, I would greatly appreciate any insights or suggestions you could offer.
Thank you all for your time and assistance.
I'm relatively new to Wazuh and currently facing some challenges in getting it set up to receive logs from a Cisco Meraki MXC95 device. I've followed the recommendations provided by Cisco Meraki support, which involved setting up a syslog server to gather the logs successfully.
Here is the recommendation link: https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration
However, when attempting to forward these logs from the syslog server to our Wazuh instance by adding the log file locations to the ossec.conf configuration file (/var/ossec/etc/ossec.conf), I haven't been able to get it working. Despite restarting both the Wazuh agent and the Syslog-ng server, I'm not seeing any logs being received in Wazuh.
<localfile>
<location>/var/logmeraki_events.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/meraki_urls.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/meraki_ids-alerts.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/meraki_flows.log</location>
<log_format>syslog</log_format>
</localfile>
I've tried adding a decoder and rule to the configuration file as well, but unfortunately, this hasn't resolved the issue either.
Here's the configuration I've attempted:
The Decoder
===========
<decoder name="meraki">
<prematch>\^\\s\*\\d+\.\\d+\\s\\w+\\s\\w+|\^\\w+\\s\\d+\\s\\d+:\d+:\d+\s\\d+\.\d+\.\d+\.\d+\s\\d\s\\d+\.\d+\s\\w+\s\w+</prematch>
</decoder>
<decoder name="meraki-child">
<parent>meraki</parent>
<regex>\^(\\s*\d+\.\d+)\s(\w+)\s(\w+)</regex>
<order>unix_time,hostname,classification</order>
</decoder>
The Rule
=========
<group name="meraki">
<rule id="100900" level="0">
<decoded_as>meraki</decoded_as>
<description>meraki messages grouped</description>
</rule>
<rule id="100901" level="3">
<if_sid>100900</if_sid>
<field name="classification">events</field>
<description>meraki alerts with $(classification) classification</description>
<group>events,</group>
</rule>
</group>
I'm reaching out to this community for guidance and assistance. If any of you have experience with configuring Wazuh to receive logs from Cisco Meraki devices, I would greatly appreciate any insights or suggestions you could offer.
Thank you all for your time and assistance.
Gastón Palomeque
Apr 10, 2024, 10:31:21 AM4/10/24
to Wazuh | Mailing List
Hello Levon,
I hope you are doing well.
Could you verify that the logs (/var/logmeraki_events.log, /var/log/meraki_urls.log, etc.) exist and that the syslog server is writing messages to them?
Regarding the decoder and rule, Wazuh reads all lines written to the log files but it will only store an event in archives.log if they match a rule. If they do not match any rule, they are skipped.
You can store all events even if they do not match a rule, enabling the <logall> option in ossec.conf. This may be handy to see if Wazuh is processing the logs.
If you would like to verify that the decoder and rule work as expected, you could use the wazuh-logtest tool.
Regards,
Gastón Palomeque
I hope you are doing well.
Could you verify that the logs (/var/logmeraki_events.log, /var/log/meraki_urls.log, etc.) exist and that the syslog server is writing messages to them?
Regarding the decoder and rule, Wazuh reads all lines written to the log files but it will only store an event in archives.log if they match a rule. If they do not match any rule, they are skipped.
You can store all events even if they do not match a rule, enabling the <logall> option in ossec.conf. This may be handy to see if Wazuh is processing the logs.
If you would like to verify that the decoder and rule work as expected, you could use the wazuh-logtest tool.
Regards,
Gastón Palomeque
Levon Gulumian
Apr 11, 2024, 10:07:17 AM4/11/24
to Wazuh | Mailing List
Hello Gastom,
I hope you're doing well too!
Yes, I can confirm that the logs you mentioned (/var/log/meraki_events.log, /var/log/meraki_urls.log, etc.) do exist, and I'm able to read them without any issues. what I need to do is to set up forwarding of these logs to the Wazuh SIEM server.Once that's done, I'll ensure that the correct decoders and rules are in place to effectively monitor and analyze the data.
Yes, I can confirm that the logs you mentioned (/var/log/meraki_events.log, /var/log/meraki_urls.log, etc.) do exist, and I'm able to read them without any issues. what I need to do is to set up forwarding of these logs to the Wazuh SIEM server.Once that's done, I'll ensure that the correct decoders and rules are in place to effectively monitor and analyze the data.
Thank you so much.
Gastón Palomeque
Apr 11, 2024, 2:16:23 PM4/11/24
to Levon Gulumian, Wazuh | Mailing List
Hello Levon,
To forward the logs to the Wazuh server, you could use rsyslog. Here is a guide from the documentation with the steps to configure it in your agent.
Regards,
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/0JSnTuUXH6Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/18550b44-f314-4d10-aa14-ea2dd574d4ben%40googlegroups.com.
--
 | Gastón Palomeque Software Engineer |
Reply all
Reply to author
Forward
0 new messages