cisco_meraki: record port state changes

packages/cisco_meraki/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: 1.20.0
+ changes:
+ - description: Record port state changes.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/8538
 - version: 1.19.0
  changes:
  - description: ECS version updated to 8.11.0.

packages/cisco_meraki/data_stream/events/sample_event.json

@@ -85,4 +85,4 @@
  "forwarded",
  "meraki-events"
  ]
-}
+}

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log

@@ -27,3 +27,7 @@
 <134>1 1694519040.863533579 TCP9001 events Port 1 changed STP role from disabled to designated
 <134>1 1694519040.862946339 TCP9001 events port 1 status changed from down to 100fdx
 <134>1 1694519007.104885873 TCP9001 events Auth failure resets to success
+<134>1 1700036621.820196636 AB_1234_Amsterdam_MX01 events carrier_change device port1 up true
+<134>1 1700036617.740693756 AB_1234_Amsterdam_MX01 events carrier_change device port1 up false
+<134>1 1700036798.491301379 ABC_NL_AMS1_SW_B1 events port 44 status changed from 10fdx to down
+<134>1 1700038224.482632052 ABC_NL_AMS1_SW_B1 events port 44 status changed from down to 1Gfdx

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json

@@ -1116,7 +1116,10 @@
  "@timestamp": "2023-09-12T11:44:29.914Z",
  "cisco_meraki": {
  "event_subtype": "port_changed_stp_role",
- "event_type": "events"
+ "event_type": "events",
+ "new_port_status": "disabled",
+ "old_port_status": "designated",
+ "port": "4"
  },
  "ecs": {
  "version": "8.11.0"
@@ -1149,7 +1152,10 @@
  "@timestamp": "2023-09-12T11:44:29.912Z",
  "cisco_meraki": {
  "event_subtype": "port_status_changed",
- "event_type": "events"
+ "event_type": "events",
+ "new_port_status": "down",
+ "old_port_status": "100fdx",
+ "port": "4"
  },
  "ecs": {
  "version": "8.11.0"
@@ -1182,7 +1188,10 @@
  "@timestamp": "2023-09-12T11:44:00.863Z",
  "cisco_meraki": {
  "event_subtype": "port_changed_stp_role",
- "event_type": "events"
+ "event_type": "events",
+ "new_port_status": "designated",
+ "old_port_status": "disabled",
+ "port": "1"
  },
  "ecs": {
  "version": "8.11.0"
@@ -1215,7 +1224,10 @@
  "@timestamp": "2023-09-12T11:44:00.862Z",
  "cisco_meraki": {
  "event_subtype": "port_status_changed",
- "event_type": "events"
+ "event_type": "events",
+ "new_port_status": "100fdx",
+ "old_port_status": "down",
+ "port": "1"
  },
  "ecs": {
  "version": "8.11.0"
@@ -1270,6 +1282,146 @@
  "forwarded",
  "preserve_original_event"
  ]
+ },
+ {
+ "@timestamp": "2023-11-15T08:23:41.820Z",
+ "cisco_meraki": {
+ "event_subtype": "carrier_change",
+ "event_type": "events",
+ "mxport": "port1",
+ "new_port_status": "up"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "carrier_change",
+ "category": [
+ "network"
+ ],
+ "original": "<134>1 1700036621.820196636 AB_1234_Amsterdam_MX01 events carrier_change device port1 up true",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "observer": {
+ "hostname": "AB_1234_Amsterdam_MX01"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-11-15T08:23:37.740Z",
+ "cisco_meraki": {
+ "event_subtype": "carrier_change",
+ "event_type": "events",
+ "mxport": "port1",
+ "new_port_status": "down"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "carrier_change",
+ "category": [
+ "network"
+ ],
+ "original": "<134>1 1700036617.740693756 AB_1234_Amsterdam_MX01 events carrier_change device port1 up false",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "observer": {
+ "hostname": "AB_1234_Amsterdam_MX01"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-11-15T08:26:38.491Z",
+ "cisco_meraki": {
+ "event_subtype": "port_status_changed",
+ "event_type": "events",
+ "new_port_status": "down",
+ "old_port_status": "10fdx",
+ "port": "44"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "port_status_changed",
+ "category": [
+ "network"
+ ],
+ "original": "<134>1 1700036798.491301379 ABC_NL_AMS1_SW_B1 events port 44 status changed from 10fdx to down",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "message": "port 44 status changed from 10fdx to down",
+ "observer": {
+ "hostname": "ABC_NL_AMS1_SW_B1"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-11-15T08:50:24.482Z",
+ "cisco_meraki": {
+ "event_subtype": "port_status_changed",
+ "event_type": "events",
+ "new_port_status": "1Gfdx",
+ "old_port_status": "down",
+ "port": "44"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "port_status_changed",
+ "category": [
+ "network"
+ ],
+ "original": "<134>1 1700038224.482632052 ABC_NL_AMS1_SW_B1 events port 44 status changed from down to 1Gfdx",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "message": "port 44 status changed from down to 1Gfdx",
+ "observer": {
+ "hostname": "ABC_NL_AMS1_SW_B1"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
  }
  ]
 }

packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml

@@ -28,6 +28,10 @@ processors:
  field: cisco_meraki.event_subtype
  value: port
  if: ctx.msgtype.toLowerCase() == "port"
+- set:
+ field: cisco_meraki.event_subtype
+ value: carrier_change
+ if: ctx.msgtype.toLowerCase() == "carrier_change"
 ####################################################
 # log event with type=<value> format
 # these are dfs_event, association, disassocation, 
@@ -123,14 +127,14 @@ processors:
 - grok:
  field: event.original
  patterns: 
- - '^(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?<message>port %{NOTSPACE} %{PORTACTION:_temp.port_action}.*)$'
+ - '^(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?<message>port %{NOTSPACE:cisco_meraki.port} %{PORTACTION:_temp.port_action}(?: from %{NOTSPACE:cisco_meraki.old_port_status} to %{NOTSPACE:cisco_meraki.new_port_status}|.*))$'
  pattern_definitions:
  SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
  SYSLOGVER: '\b(?:\d{1,2})\b'
  SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}'
  WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
  PORTACTION: '(?:changed stp role|status changed)'
- if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "port"
+ if: ctx.event.original.startsWith('<') && ctx.cisco_meraki?.event_subtype == "port"
 - gsub:
  field: _temp.port_action
  pattern: ' '
@@ -144,6 +148,28 @@ processors:
  value: 'port_{{{_temp.port_action}}}'
  if: ctx._temp?.port_action != null
 
+####################################################
+# Handle Carrier Change
+####################################################
+- grok:
+ field: event.original
+ patterns: 
+ - '^(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events carrier_change device%{SPACE}%{NOTSPACE:cisco_meraki.mxport} up %{NOTSPACE:_temp.up}.*$'
+ pattern_definitions:
+ SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
+ SYSLOGVER: '\b(?:\d{1,2})\b'
+ SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}'
+ WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
+ if: ctx.event.original.startsWith('<') && ctx.cisco_meraki?.event_subtype == "carrier_change"
+- set:
+ field: cisco_meraki.new_port_status
+ value: up
+ if: ctx._temp?.up == 'true'
+- set:
+ field: cisco_meraki.new_port_status
+ value: down
+ if: ctx._temp?.up == 'false'
+
 ####################################################
 # Handle dfs_event, wpa_auth, wpa_deauth, 
 # association or disassociation

packages/cisco_meraki/data_stream/log/fields/fields.yml

@@ -52,6 +52,14 @@
  type: flattened
  - name: multiple_dhcp_servers_detected
  type: flattened
+ - name: mxport
+ type: keyword
+ - name: new_port_status
+ type: keyword
+ - name: old_port_status
+ type: keyword
+ - name: port
+ type: keyword
  - name: aps_association_reject
  type: flattened
  - name: urls

packages/cisco_meraki/docs/README.md

@@ -79,6 +79,10 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server
 | cisco_meraki.firewall.rule | | keyword |
 | cisco_meraki.flows | | flattened |
 | cisco_meraki.multiple_dhcp_servers_detected | | flattened |
+| cisco_meraki.mxport | | keyword |
+| cisco_meraki.new_port_status | | keyword |
+| cisco_meraki.old_port_status | | keyword |
+| cisco_meraki.port | | keyword |
 | cisco_meraki.security.action | | keyword |
 | cisco_meraki.security.decision | | keyword |
 | cisco_meraki.security.dhost | | keyword |
@@ -682,5 +686,4 @@ An example event for `events` looks as following:
  "meraki-events"
  ]
 }
-
 ```

packages/cisco_meraki/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: cisco_meraki
 title: Cisco Meraki
-version: "1.19.0"
+version: "1.20.0"
 description: Collect logs from Cisco Meraki with Elastic Agent.
 type: integration
 categories: