[Cisco_Meraki] Add ECS Mappings and Grok Pattern to parse DHCP events #13358
Conversation
…improve DHCP event parsing
mohitjha-elastic added Integration:cisco_meraki 
| Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
| <134>1 1736917251.802993170 game_Office_DMC_47_Floor events type=disassociation radio='1' vap='0' client_mac='E4-F4-18-79-1F-E1' band='5' channel='161' reason='1' da_vendor='none' duration='1869.922025769' auth_neg_dur='0.142860677' last_auth_ago='1869.779207384' is_8021x='1' full_conn='0.317524167' ip_resp='0.317524167' ip_src='89.160.20.112' http_resp='56.027654771' arp_resp='0.179391823' arp_src='20.22.20.157' dns_server='20.142.20.250' dns_req_rtt='0.002535260' dns_resp='0.289948906' identity='xxxx_xxx' aid='401480346' | ||
| <134>1 1736917275.649842796 game_Office_DMC_47_Floor events type=disassociation radio='1' vap='0' client_mac='E4-F4-18-79-1F-E1' band='5' channel='161' reason='1' da_vendor='none' duration='31.22725353' auth_neg_dur='0.012057865' last_auth_ago='31.152091238' is_8021x='1' full_conn='12.115982391' ip_resp='12.115982391' ip_src='89.160.20.112' arp_resp='0.241727656' arp_src='20.22.20.39' identity='xxxx_xxx' aid='1607913618' |
There was a problem hiding this comment.
Whats changed between these events and the ones described in the enhancement issue?
They don't seem to match exactly.
There was a problem hiding this comment.
No major changes were made- only the values of mac, and ip_src were updated to the Elastic test IP, and a priority number was added at the beginning.
| - rename: | ||
| field: cisco_meraki.{{{cisco_meraki.event_subtype}}}.client_mac | ||
| target_field: client.mac | ||
| if: ctx.cisco_meraki?.event_subtype != null && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) |
There was a problem hiding this comment.
I'm not sure if this list is correct. For example, for splash_auth, the field is called mac and its already handled else where. Please verify them all.
Same for below.
There was a problem hiding this comment.
@kcreddy I verified that client.mac was only set for splash_auth events hence removed it from this list.
For the ip_src field, none of the events are mapped to the source.ip.
Therefore, if the client_mac and ip_src fields appear in any of these events, they will be mapped to the corresponding ECS fields.
Remove splash_auth from the list while setting client.mac.
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
History
|
|
| @mohitjha-elastic, can you expand on the commit message please, instead of this oneliner? Example: #13298 (comment) |
@kcreddy Thanks, I have updated the commit message. |
@mohitjha-elastic, thank you! Yes that will be great. |
| Package cisco_meraki - 1.28.1 containing this change is available at https://epr.elastic.co/package/cisco_meraki/1.28.1/ |
…#13358) cisco_meraki: Extended ECS Field Support in Event Pipeline and Improved DHCP Event Parsing with Grok Pattern Enhanced the event pipeline to populate client.mac and source.ip ECS fields for specific event types that were previously missing from the pipeline. Addressed pipeline errors in the Meraki integration by adding a Grok pattern to handle cases where Meraki MX logs contain events without DHCP offers. This ensures smooth parsing for all event types.
3 participants
Proposed Commit Message
cisco_meraki: Extended ECS Field Support in Event Pipeline and Improved DHCP Event Parsing with Grok Pattern
Enhanced the event pipeline to populate client.mac and source.ip ECS fields for specific event types that were previously missing from the pipeline.
Addressed pipeline errors in the Meraki integration by adding a Grok pattern to handle cases where Meraki MX logs contain events without DHCP offers. This ensures smooth parsing for all event types.
Checklist
changelog.ymlfile.How to test this PR locally
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/cisco_meraki directory.
Run the following command to run tests.
elastic-package test -vRelated issues