Cisco Stealthwatch Alarm and Graylog

I just love Stealthwatch and Cisco “network a as sensor” concept. If you think traditional SIM/SIEM systems and visibility what is moving in your network L2/L3 level, I claim that the visibility is zero.

You can send switch or router or server syslog data to your SIM/SIEM server and still not get visibility to your network traffic in L2/L3 level. If your router is smart enough it maybe can told some information about connections, but what if there is asymmetric/dynamic routing and different data flows goes to different paths?

SIM/SIEM can see network connection traffic only from Firewalls, because FW can told that.

But what if your network device where your client is connected can told every flow what you send or receive? What if all network switches, routers, firewall and clients can told that where traffic going? If you are lucky and you have also identity based network with pxGrid, then you get real 360 visibility in your traffic.

Think about situation, when you are implementing new DNS server and you want to know what clients are still using old ones or tried to use some public servers. What if you have SCADA network and you want to do segmentation without segmentation? In Stealthwatch you can create rules that SCADA1 can talk to the SCADA2, but not SCADA3 server when those servers are in same network segment or even same switch. If SCADA1 sends any data to SCADA3 Stealthwatch will create alarm and that alarm can be forward to the Graylog server.

How STW (Stealthwatch) and Graylog can be integrate together, so that you can see STW generated alarms in your Graylog server? I assume that you already have Stealthwatch and Graylog up and running. I will use STW version 7.1.1 and Graylog 3.2.3.

Graylog configuration

First we configure Graylog to receive message from STW.

Go System/Inputs and Inputs.
Launch new Raw/Plaintext UDP input.
Create new input at port 1516 and name it.

Now we need to add extractor, which is parse incoming messages.

Click Manage extractors.
Choose Actions and Import extractors.

You can download latest extractor in my github https://github.com/hrleinonen/graylog-stealthwatch paste that json file in your Graylog import extractors.

Extractor brings these new fields in your graylog:

ALARMSEV = Alarm severity
ALARMSTATUS = Alarm current status
CAT = Alarm category
DOMAIN = STW Domain
DST = Destination
DSTPORT = Destination port
FLOWCOLLECTORIP = Flowcollector IP
FLOWCOLLECTORNAME = Flowcollector name
HOSTNAME = SMC hostname
PROTO = IP protocol
SOURCEHG = Source host group
SRC = Source
TARGETHG = Target host group

Stealthwatch configuration

First open Configuration > Response Management.
Choose Syslog Formats.
Give name, description, facility and severity. Copy MSG Part bellow.

Create new syslog format.

LEEF:2.0|Lancope|Stealthwatch|7.1|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}

Syslog message format and fields what Stealthwatch is sending to the Graylog.

Choose Actions.

Next we create server where to send alarms.

Give name, description, your Graylog server IP-address, port and choose your new syslog message format.
Choose Rules.

Next we choose what to send.

Give name, description, domain and what should be true. I choose here All, so this will send all STW alarms to Graylog.

And where to send alarms.

Click Add and choose your new

Graylog Stealthwatch Dashboard

I have created also simple example dashboard, which is telling basic information about alarms. You can download json file in my github. You must edit dashboard so that you replace DOMAIN:PUT-MY-OWN-DOMAIN-HERE at you own domain, like DOMAIN:acme.local

STW simple dashboard.

Cisco Meraki MX and Graylog3 Part 4

This parser/content pack are used to log Meraki MX security-events.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_Security.json” is for MX appliance security events. It brings couple new search fields in Graylog3.

New fields are:

  • DISPOSITION = Disposition (eg. malicious)
  • ACTION = Action (eg. block)
  • SHA256 = SHA256 about file (eg. 2546dcffc5ad854d4d…)
  • NAME = Malware name (eg. Win.Ransomware.Eicar::95.sbx.tg)
  • SRCIP = Source IP-address (eg. 10.10.101.101)
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg. 193.166.3.7)
  • DSTPORT = Destination port (eg. 443)

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Action report example.

Malware name example.

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5556 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3 Part 3

This parser/content pack are used to log Meraki MX URL-events.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_URLs.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • AGENT = Browser agent (eg. Mozilla Firefox)
  • REQUEST = Http request (eg. POST)
  • SRCIP = Source IP-address (eg. 10.10.101.101)
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg. 193.166.3.7)
  • DSTPORT = Destination port (eg. 443)
Map based on destination IP-addresses.
Example fields.

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5555 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3 Part 2

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_Events.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • EVENT_TYPE = Event type (eg. IDS, content_filtering_block or dhcp)
  • SPI = Security Parameter Index  (eg. 53afbb30231007)
  • URL_CATEGORY = Category where blocked site belongs (eg. Malware)
Top 10 values for event type.
Top 5 blocked URL categories

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5557 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3

I really like Meraki cloud concept. It includes complete network stack Firewalls/SD-WAN, WLAN, Switches and Security Cameras (also MDM). Only problem (if we don’t count missing AnyConnect) is logs and query. Now, because I use Graylog for my other projects, I decide to use Graylog3 to my logstorage. There is no ready parsers or dashboards in Graylog marketplace, so I start to make my own.

Here comes parser (GROK based) for MX flow records, enjoy.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

There is couple roles in Meraki MX which you use to send syslog. I choose to send every role to different port, so I can choose what extractol to use.

File called “Cisco_Meraki_Flow_Content_Pack.json” is for MX flow events. It brings couple new search fields in Graylog3.

New fields are:

  • DSTIP = Destination IP-address (eg. 208.67.222.222)
  • DSTPORT = Destination port (eg. 53)
  • FLOW_TYPE = Flow start or end (eg. ip_flow_end)
  • PROTOCOL = Protocol (eg. tcp)
  • SRCIP = Source IP-address (eg. 172.16.0.10)
  • SRCPORT = Source port (eg. 1007)
  • TRANSLATED_DST_IP = Translated destination IP-address (eg. 1.2.3.4)
  • TRANSLATED_PORT = Translated port (eg. 55)
  • TRANSLATED_SRC_IP = Translated source IP-address (eg. 81.3.4.1)

Example for new search fields (btw. this is demo generated data not my inside net).

Now, when you are downloaded json file you must to upload it to the Graylog3. Choose System > Content Packs, Content Packs site opens. Click Upload (green box) upper left corner. Choose content pack file and upload.

There is now new content pack called Cisco Meraki Flow, now click Install. After this you have new input and dashboard.

Go to the input site System > Inputs. There is input called MERAKI_LOGS_FLOWS. Input listens RAW/plaintext udp port 5558 (there is some problems in standard Syslog udp). If input is not started, you must start it.

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5558 and choose Flows role. Click save after this. Now your should see traffic in your graylog input.

Click System > Inputs find MERAKI_LOGS_FLOWS and choose Show Received Messages.

There is also new dashboard called “Meraki MX Flow Records”. Go Dashboards > Meraki MX Flows Records.

Example flow dashboard.