...
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed asnetwork.meraki. The third level identifies the type of events sent. The fourth, fifth, and sixth levels indicate the event subtypes and are used in thenetwork.meraki.api tags.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|
Cisco Meraki | network.meraki.ids-alerts
| network.meraki
|
network.meraki.events
|
network.meraki.flows
|
network.meraki.urls
|
network.meraki.airmarshal_events
| network.meraki.airmarshal_events
|
network.meraki.api.events.1.json
| network.meraki.api.<subtype>.<version>.<format>events
|
network.meraki.api.security_events.1.json
| network.meraki.api.security_events
|
network.meraki.events
| network.meraki.events
|
network.meraki.firewall
| network.meraki.firewall
|
network.meraki.flows
| network.meraki.flows
|
network.meraki.ids.-alerts
| network.meraki.idsAlerts
|
network.meraki.ip_flow_end
| network.meraki.ip_flow_end
|
network.meraki.ip_flow_start
| network.meraki.ip_flow_start
|
network.meraki.l7_firewall
| network.meraki.l7_firewall
|
network.meraki.security_eventsevent
| network.meraki.eventssecurity_event
|
network.meraki.switch
| network.meraki.events.switch
|
network.meraki.urls
| network.meraki.urls
|
network.meraki.vpn_firewall
| network.meraki.vpn_firewall
|
For more information, read more About Devo tags.
How is the data sent to Devo?
To send logs to the network.meraki.api.events and network.meraki.api.security_eventstables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Cisco Meraki collector.
...
Create a rule with the following values for logs generated by Meraki MS Switch devices (the port number can be any free port on your relay):
Source port → 13005 → 13005
Target tag → network.meraki.switch
Check the Stop processing and Sent without syslog tag checkboxes
...
Use this rule for events generated by a Meraki MX Security Appliance or a Meraki MR Access Point. If you configure this rule, the relay will apply a tag that begins with network network.meraki meraki when the source conditions are met. A regular expression in the Source Datadata field describes the format of the event data and identifies the event type as a capturing group. This capturing group is extracted from the event and used to create the third level of the tag.
...
Define the rule using the following values (the port number can be any free port on your relay):
Source port → 13005 → 13005
Source data → [^ ]+ [^ ]+ ([^ ]+) .*
Target tag → network.meraki.\\D1
Target message → \\D0
Check the Stop processing and Sent without syslog tag checkboxes
...
If your environment has multiple MX devices using a site-to-site VPN, and the logging is done to a Devo Relay outside the VPN, be sure that you create a site-to-site firewall rule that will permit outbound traffic to the relay. Consult the vendor documentation for instructions for creating an outbound traffic rule. In this rule, the Source should be the Internet port 1 address of the sending machine. The Destination should be the IP address of the Devo Relay and the Dst Port should be the relay port specified in the Devo Relay rule.
Table structure
These are the fields displayed in these tables:
| Rw ui tabs macro |
|---|
network.merakiField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | dvc_host | str
| vhost | | type | str
| vtype | | serverdate | timestamp
| | | dvc_name | str
| | | logtype | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | serverdate | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | type | str
| | | ssid | str
| | | vap | str
| | | bssid | str
| | | src | str
| | | dst | str
| | | wired_mac | str
| | | vlan_id | str
| | | channel | str
| | | rssi | str
| | | fc_type | str
| | | fc_subtype | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | occurredAt | timestamp
| | networkId | str
| | type | str
| | description | str
| | clientId | str
| | clientDescription | str
| | deviceSerial | str
| | deviceName | str
| | ssidNumber | int8
| | ssidName | str
| | eventDataRadio | str
| | eventDataVap | str
| | eventDataClientMac | str
| | eventDataClientIp | str
| | eventDataChannel | str
| | eventDataRssi | str
| | eventDataAid | str
| | eventDataRaw | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | ts | timestamp
| | eventType | str
| | clientName | str
| | clientMac | str
| | clientIp | str
| | srcIp | str
| | srcPort | str
| | destIp | str
| | destPort | str
| | protocol | str
| | uri | str
| | canonicalName | str
| | destinationPort | int8
| | fileHash | str
| | fileType | str
| | fileSizeBytes | int8
| | disposition | str
| | action | str
| | deviceMac | str
| | priority | str
| | classification | str
| | blocked | bool
| | message | str
| | signature | str
| | sigSource | str
| | ruleId | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | serverdate | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | type | str
| | | vpn_type | str
| | | peer_contact | str
| | | peer_ident | str
| | | connectivity | bool
| | | radio | str
| | | vap | str
| | | client_ip | ip4
| | | client_mac | str
| | | channel | str
| | | active | str
| | | rssi | str
| | | skip | str
| | | clients | str
| | | mesh_in | str
| | | mesh_out | str
| | | duration | float8
| | | auth_neg_failed | str
| | | auth_neg_duration | float8
| | | last_auth_ago | float8
| | | is_wpa | str
| | | full_conn | float8
| | | ip_resp | float8
| | | ip_src | ip4
| | | arp_resp | float8
| | | arp_src | ip4
| | | dns_server | ip4
| | | dns_req_rtt | float8
| | | dns_resp | float8
| | | original_server_ip | ip4
| | | original_server_mac | str
| | | server_ip | ip4
| | | server_mac | str
| | | dhcp_failed | str
| | | reason | str
| | | instigator | str
| | | device_ip | str
| | | http_resp | float8
| | | load | str
| | | best_ap | ip4
| | | best_ap_load | str
| | | best_ap_rssi | str
| | | aid | str
| | | spi | str
| | | proto_id | str
| | | source_client_assigned_vlan | int4
| | | last_illegal_ip_mapped_vlan_id | int4
| | | client_total_illegal_packets | int8
| | | all_total_illegal_packets | int8
| | | last_reported_total | int8
| | | lease_ip | ip4
| | | router_ip | ip4
| | | subnet | ip4
| | | dns1 | ip4
| | | dns2 | ip4
| | | rawMessage | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | server_date | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | log_type | str
| | | source_ip | ip4
| | | destination_ip | ip4
| | | mac | str
| | | protocol | str
| | | srcPort | int4
| | | dstPort | int4
| | | icmpType_1 | str
| | | pattern_1 | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | serverdate | timestamp
| | | | dvc_host | str
| | vhost | | dvc_name | str
| | | | action | str
| | Code Block |
|---|
(action_1 != null) ? action_1 : (startswith(pattern, "1")) ? "deny" : (startswith(pattern, "0")) ? "allow" : (pattern ->> "allow") ? "allow" : (pattern ->> "deny") ? "deny" : null("") |
| action_1 pattern | | logtype | str
| | | | srcIp | ip4
| | | | srcPort | int4
| | | | dstIp | ip4
| | | | dstPort | int4
| | | | proto | str
| | | | mac | str
| | | | icmpType | str
| | Code Block |
|---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern:', 0) : icmpType_1 |
| icmpType_1 | | pattern | str
| | Code Block |
|---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern: ', 1) : pattern_1 |
| pattern_1 icmpType_1 | | translated_src_ip | ip4
| | | | translated_dst_ip | ip4
| | | | translated_port | int4
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | serverdate | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | srcIp | ip4
| | | srcPort | int4
| | | dstIp | ip4
| | | dstPort | int4
| | | signature | str
| | | priority | int4
| | | tstamp | timestamp
| | | dhost | str
| | | direction | str
| | | proto | str
| | | message | str
| | | unknown | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | serverdate | timestamp
| | | | dvc_host | str
| | vhost | | dvc_name | str
| | | | action | str
| | Code Block |
|---|
(action_1 != null) ? action_1 : (startswith(pattern, "1")) ? "deny" : (startswith(pattern, "0")) ? "allow" : (pattern ->> "allow") ? "allow" : (pattern ->> "deny") ? "deny" : null("") |
| action_1 pattern | | logtype | str
| | | | srcIp | ip4
| | | | srcPort | int4
| | | | dstIp | ip4
| | | | dstPort | int4
| | | | proto | str
| | | | mac | str
| | | | icmpType | str
| | Code Block |
|---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern:', 0) : icmpType_1 |
| icmpType_1 | | pattern | str
| | Code Block |
|---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern: ', 1) : pattern_1 |
| pattern_1 icmpType_1 | | translated_src_ip | ip4
| | | | translated_dst_ip | ip4
| | | | translated_port | int4
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | serverdate | timestamp
| | | | dvc_host | str
| | vhost | | dvc_name | str
| | | | action | str
| | Code Block |
|---|
(action_1 != null) ? action_1 : (startswith(pattern, "1")) ? "deny" : (startswith(pattern, "0")) ? "allow" : (pattern ->> "allow") ? "allow" : (pattern ->> "deny") ? "deny" : null("") |
| action_1 pattern | | logtype | str
| | | | srcIp | ip4
| | | | srcPort | int4
| | | | dstIp | ip4
| | | | dstPort | int4
| | | | proto | str
| | | | mac | str
| | | | icmpType | str
| | Code Block |
|---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern:', 0) : icmpType_1 |
| icmpType_1 | | pattern | str
| | Code Block |
|---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern: ', 1) : pattern_1 |
| pattern_1 icmpType_1 | | translated_src_ip | ip4
| | | | translated_dst_ip | ip4
| | | | translated_port | int4
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
network.meraki.l7_firewallField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | epoch_time | str
| | | host | str
| vhost | | log_type | str
| | | source_ip | ip4
| | | destination_ip | ip4
| | | protocol | str
| | | sport | str
| | | dport | str
| | | decision | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
network.meraki.security_eventField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | host | str
| vhost | | serverdate | timestamp
| | | dvc_name | str
| | | logtype | str
| | | subtype | str
| | | url | str
| | | src_ip | ip4
| | | src_port | str
| | | dst_ip | ip4
| | | dst_port | str
| | | mac | str
| | | name | str
| | | sha256 | str
| | | disposition | str
| | | action | str
| | | hostchain | str
| | v | tag | str
| | ✓ | rawMessage | str
| | |
network.meraki.switchField | Type | Extra fields |
|---|
eventdate | timestamp
| | serverdate | timestamp
| | dvc_name | str
| | dvc_ip | str
| | type | str
| | port | str
| | identity | str
| | resp | str
| | rtt | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
network.meraki.urlsField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | serverdate | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | srcIp | ip4
| | | srcPort | int4
| | | dstIp | ip4
| | | dstPort | int4
| | | mac | str
| | | method | str
| | | url | str
| | | user_agent | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
network.meraki.vpn_firewallField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | server_date | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | log_type | str
| | | source_ip | ip4
| | | destination_ip | ip4
| | | mac | str
| | | protocol | str
| | | srcPort | int4
| | | dstPort | int4
| | | icmpType_1 | str
| | | pattern_1 | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawSource | str
| | |
|
