Network Device Pipeline Design

Pipeline design for ingesting, transforming, and routing network infrastructure logs to Microsoft Sentinel.

Network Device Categories

Device Types

Category	Examples	Log Content
Switches	Catalyst, Nexus, Meraki	Port up/down, MAC learning, spanning tree, VLAN changes
Routers	ISR, ASR, Nexus	Routing changes, interface state, BGP/OSPF events
Wireless	WLC, APs, Meraki	Client associations, roaming, RF events
Load Balancers	F5, Citrix	Pool health, connection events

Common Syslog Message Types

Message Type	Description	Security Value	Volume
Interface Up/Down	Link state changes	MEDIUM	LOW
Config Changes	Configuration modifications	HIGH	LOW
Authentication	Login attempts (SSH, console)	HIGH	LOW
Spanning Tree	STP topology changes	MEDIUM	LOW
VLAN Events	VLAN creation, deletion, changes	MEDIUM	LOW
MAC Flapping	MAC address moves between ports	HIGH	LOW
BGP/OSPF	Routing protocol state changes	HIGH	LOW
Hardware Alerts	Fan, power, temperature	MEDIUM	LOW
Syslog Noise	Debug, informational	LOW	HIGH

Message Type

Description

Security Value

Volume

Interface Up/Down

Link state changes

MEDIUM

LOW

Config Changes

Configuration modifications

HIGH

LOW

Authentication

HIGH

LOW

Spanning Tree

STP topology changes

MEDIUM

LOW

VLAN Events

VLAN creation, deletion, changes

MEDIUM

LOW

MAC Flapping

MAC address moves between ports

HIGH

LOW

BGP/OSPF

Routing protocol state changes

HIGH

LOW

Hardware Alerts

Fan, power, temperature

MEDIUM

LOW

Syslog Noise

Debug, informational

LOW

HIGH

Pipeline Architecture

Syslog Formats

Network devices use varied syslog formats:

Cisco IOS/IOS-XE

*Mar 18 12:34:56.789: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Mar 18 12:34:56.789: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 10.50.1.100]

Cisco NX-OS

2026 Mar 18 12:34:56 switch %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet1/1 is down

Meraki

<134>1 1710765296.123456789 MX_10.50.1.1 events type=vpn_connectivity_change vpn_type='site-to-site'

Transform Chain

Step 1: Parse by Device Type

Different parsing for different formats:

Cisco IOS:

{
  "operation": "jq",
  "arguments": {
    "query": ".message | capture(\"(?<facility>%[A-Z_]+-[0-9]+-[A-Z_]+): (?<details>.*)\")"
  }
}

Step 2: Extract Common Fields

{"operation": "rename", "arguments": {"from": "host", "to": "device_hostname"}}
{"operation": "add", "arguments": {"key": "device_type", "value": "network"}}

Step 3: Categorize by Facility

{
  "operation": "jq",
  "arguments": {
    "query": "if .facility | test(\"LINK|LINEPROTO\") then .category = \"interface\" elif .facility | test(\"SEC_LOGIN|AUTHFAIL\") then .category = \"authentication\" elif .facility | test(\"SYS-5-CONFIG\") then .category = \"configuration\" else .category = \"other\" end"
  }
}

Step 4: Add Metadata

{"operation": "add", "arguments": {"key": "log_source", "value": "network-infrastructure"}}
{"operation": "timestamp", "arguments": {"key": "monad_ingest_time", "format": "rfc3339"}}

Step 5: Drop Noise

{
  "operation": "jq",
  "arguments": {
    "query": "select(.facility | test(\"DEBUG|PARSER\") | not)"
  }
}

Routing Configuration

Route 1: Security Events → Analytics

{
  "operator": "or",
  "conditions": [
    {"type": "contains", "key": "facility", "value": "SEC_LOGIN"},
    {"type": "contains", "key": "facility", "value": "AUTHFAIL"},
    {"type": "contains", "key": "facility", "value": "CONFIG"},
    {"type": "contains", "key": "message", "value": "MAC_MOVE"},
    {"type": "contains", "key": "message", "value": "DUPLEX_MISMATCH"},
    {"type": "matches_regex", "key": "facility", "pattern": "BGP|OSPF"}
  ]
}

Route 2: All Events → Basic

{
  "operator": "always",
  "conditions": []
}

Network Events - Routing Matrix

Event Type	Security Value	Volume	Route To
Login Success/Failure	HIGH	Low	Analytics
Config Change	HIGH	Low	Analytics
Interface Down (critical)	MEDIUM	Low	Analytics
Interface Down (access port)	LOW	Medium	Basic
MAC Flapping	HIGH	Low	Analytics
Spanning Tree Change	MEDIUM	Low	Analytics
BGP/OSPF Neighbor Change	HIGH	Low	Analytics
Hardware Alert	MEDIUM	Low	Analytics
Debug/Informational	LOW	High	DROP

Event Type

Security Value

Volume

Route To

HIGH

Low

Analytics

Config Change

HIGH

Low

Analytics

Interface Down (critical)

MEDIUM

Low

Analytics

Interface Down (access port)

LOW

Medium

Basic

MAC Flapping

HIGH

Low

Analytics

Spanning Tree Change

MEDIUM

Low

Analytics

BGP/OSPF Neighbor Change

HIGH

Low

Analytics

Hardware Alert

MEDIUM

Low

Analytics

Debug/Informational

LOW

High

DROP

Device-Specific Considerations

Meraki

Meraki devices use a different syslog format and can also send to Monad via native API connector.

Options:

Syslog - Same pipeline as other network devices
API Connector - Native Monad Meraki input (if available)

Cisco DNA Center

If using DNAC for network management, consider:

DNAC API - May have native Monad connector
DNAC Syslog Forwarding - Aggregate through DNAC

Syslog Server Configuration

Network devices send syslog to Monad endpoint:

! Cisco IOS
logging host 10.50.1.200 transport tcp port 1468
logging trap informational
logging source-interface Loopback0

! Cisco NX-OS
logging server 10.50.1.200 port 1468 use-vrf management

Use TCP for reliable delivery. UDP may drop logs under load.

Volume Management

Network syslog is generally lower volume than ISE or FTD, but:

Filter at source - Set logging trap to appropriate level
Drop debug - Filter out debug/parser messages in Monad
Aggregate - Consider syslog aggregator if many devices

Testing Checklist

Verify syslog connectivity from sample devices
Confirm parsing handles IOS, NX-OS, and Meraki formats
Test config change routing (should → Analytics)
Test auth failure routing (should → Analytics)
Validate debug messages are dropped
Confirm both outputs receive expected data

Open Questions

Device count: How many network devices will send logs?
Syslog levels: What trap level is configured on devices?
Meraki approach: Syslog or API connector?
DNAC integration: Is DNAC in scope?