diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index cbaeb6bcf54..5488e1a2b2a 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.1" + changes: + - description: Fix flows pipeline according to new Firmware MX18.101. + type: bugfix + link: https://github.com/elastic/integrations/pull/7391 - version: "1.11.0" changes: - description: Update package to ECS 8.9.0. diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log index 8fede9d97a1..bf6da87e3d4 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log @@ -11,3 +11,7 @@ <134>1 1674604848.429996761 MX84 flows src=10.10.10.11 dst=172.16.12.23 mac=9C:7B:EF:A9:6C:D8 protocol=udp sport=64138 dport=3289 pattern: deny (src 10.10.0.0/16) <134>1 1674604848.429996761 MX84 flows src=10.241.192.11 dst=10.8.2.6 mac=9C:7B:EF:A5:9C:9B protocol=tcp sport=54791 dport=80 pattern: deny all <134>1 1674604848.429996761 MX84 flows src=192.168.201.81 dst=10.8.2.4 mac=B4:6B:FC:6A:E0:5A protocol=udp sport=60288 dport=53 pattern: allow all +<134>1 948136486.721741837 MX60 firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all +<134>1 948136486.721741837 MX60 vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all +<134>1 948136486.721741837 MX60 cellular_firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all +<134>1 948136486.721741837 MX60 bridge_anyconnect_client_vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json index 64a50663571..e4cc2a093b5 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json @@ -639,6 +639,186 @@ "forwarded", "preserve_original_event" ] + }, + { + "@timestamp": "2000-01-17T19:14:46.721Z", + "cisco_meraki": { + "event_subtype": "ip_session_initiated", + "event_type": "firewall", + "firewall": { + "action": "allow", + "rule": "all" + } + }, + "destination": { + "ip": "10.241.77.255", + "port": 53 + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "ip-session-initiated", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 948136486.721741837 MX60 firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all", + "type": [ + "info", + "access", + "start" + ] + }, + "network": { + "protocol": "udp" + }, + "observer": { + "hostname": "MX60" + }, + "source": { + "ip": "10.10.10.11", + "mac": "24-2F-FA-1E-B7-E6", + "port": 9562 + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] + }, + { + "@timestamp": "2000-01-17T19:14:46.721Z", + "cisco_meraki": { + "event_subtype": "ip_session_initiated", + "event_type": "vpn_firewall", + "firewall": { + "action": "allow", + "rule": "all" + } + }, + "destination": { + "ip": "10.241.77.255", + "port": 53 + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "ip-session-initiated", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 948136486.721741837 MX60 vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all", + "type": [ + "info", + "access", + "start" + ] + }, + "network": { + "protocol": "udp" + }, + "observer": { + "hostname": "MX60" + }, + "source": { + "ip": "10.241.192.1", + "mac": "24-2F-FA-1E-B7-E6", + "port": 9562 + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] + }, + { + "@timestamp": "2000-01-17T19:14:46.721Z", + "cisco_meraki": { + "event_subtype": "ip_session_initiated", + "event_type": "cellular_firewall", + "firewall": { + "action": "allow", + "rule": "all" + } + }, + "destination": { + "ip": "10.241.77.255", + "port": 53 + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "ip-session-initiated", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 948136486.721741837 MX60 cellular_firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all", + "type": [ + "info", + "access", + "start" + ] + }, + "network": { + "protocol": "udp" + }, + "observer": { + "hostname": "MX60" + }, + "source": { + "ip": "10.10.10.11", + "mac": "24-2F-FA-1E-B7-E6", + "port": 9562 + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] + }, + { + "@timestamp": "2000-01-17T19:14:46.721Z", + "cisco_meraki": { + "event_subtype": "ip_session_initiated", + "event_type": "bridge_anyconnect_client_vpn_firewall", + "firewall": { + "action": "allow", + "rule": "all" + } + }, + "destination": { + "ip": "10.241.77.255", + "port": 53 + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "ip-session-initiated", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 948136486.721741837 MX60 bridge_anyconnect_client_vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all", + "type": [ + "info", + "access", + "start" + ] + }, + "network": { + "protocol": "udp" + }, + "observer": { + "hostname": "MX60" + }, + "source": { + "ip": "10.241.192.1", + "mac": "24-2F-FA-1E-B7-E6", + "port": 9562 + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml index c2791f31fe2..660729767f3 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -32,7 +32,7 @@ processors: value: 'failed to parse time field ({{{ _temp.ts_nano }}}): {{{ _ingest.on_failure_message }}}' - pipeline: name: '{{ IngestPipeline "flows" }}' - if: ctx.cisco_meraki.event_type == 'flows' + if: "['flows', 'firewall', 'vpn_firewall', 'cellular_firewall', 'bridge_anyconnect_client_vpn_firewall'].contains(ctx.cisco_meraki.event_type)" - pipeline: name: '{{ IngestPipeline "ipflows" }}' if: ctx.cisco_meraki.event_type == 'ip_flow_start' || ctx.cisco_meraki.event_type == 'ip_flow_end' diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml index 9ce32174526..80017cae929 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml @@ -4,7 +4,9 @@ processors: - grok: field: event.original patterns: - - "flows( %{NOTSPACE:cisco_meraki.flows.op})? src=%{IP:source.ip:ip} dst=%{IP:destination.ip:ip}( mac=%{MAC:source.mac})? protocol=%{NOTSPACE:network.protocol}( type=%{NOTSPACE})?( sport=%{NONNEGINT:source.port:long})?( dport=%{NONNEGINT:destination.port:long})?( pattern: %{GREEDYDATA:cisco_meraki.firewall.pattern})?" + - "%{TYPE}( %{NOTSPACE:cisco_meraki.flows.op})? src=%{IP:source.ip:ip} dst=%{IP:destination.ip:ip}( mac=%{MAC:source.mac})? protocol=%{NOTSPACE:network.protocol}( type=%{NOTSPACE})?( sport=%{NONNEGINT:source.port:long})?( dport=%{NONNEGINT:destination.port:long})?( pattern: %{GREEDYDATA:cisco_meraki.firewall.pattern})?" + pattern_definitions: + TYPE: 'flows|firewall|vpn_firewall|cellular_firewall|bridge_anyconnect_client_vpn_firewall' - grok: field: cisco_meraki.firewall.pattern patterns: diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index 2af027c735e..a64ced53dc9 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: cisco_meraki title: Cisco Meraki -version: "1.11.0" +version: "1.11.1" description: Collect logs from Cisco Meraki with Elastic Agent. type: integration categories: