...
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed asnetwork.meraki
. The third level identifies the type of events sent. The fourth, fifth, and sixth levels indicate the event subtypes and are used in thenetwork.meraki.api
tags.
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
For more information, read more About Devo tags.
How is the data sent to Devo?
To send logs to the network.meraki.api.events
and network.meraki.api.security_events
tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Cisco Meraki collector.
For the rest of tables, you must define a specific relay rule to send the events to Devo properly. For events generated by Meraki MS Switches, use rule 1; for events generated by a Meraki MX Security Appliance or a Meraki MR Access Point, you must use rule 2. For more information about event types and log samples, check this article.
...
Rw ui tabs macro |
---|
network.merakiField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | dvc_host | str
| vhost | | type | str
| vtype | | serverdate | timestamp
| | | dvc_name | str
| | | logtype | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
network.meraki.airmarshal_eventsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | serverdate | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | type | str
| | | ssid | str
| | | vap | str
| | | bssid | str
| | | src | str
| | | dst | str
| | | wired_mac | str
| | | vlan_id | str
| | | channel | str
| | | rssi | str
| | | fc_type | str
| | | fc_subtype | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
network.meraki.api.eventsField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | occurredAt | timestamp
| | networkId | str
| | type | str
| | description | str
| | clientId | str
| | clientDescription | str
| | deviceSerial | str
| | deviceName | str
| | ssidNumber | int8
| | ssidName | str
| | eventDataRadio | str
| | eventDataVap | str
| | eventDataClientMac | str
| | eventDataClientIp | str
| | eventDataChannel | str
| | eventDataRssi | str
| | eventDataAid | str
| | eventDataRaw | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
network.meraki.api.security_eventsField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | ts | timestamp
| | eventType | str
| | clientName | str
| | clientMac | str
| | clientIp | str
| | srcIp | str
| | srcPort | str
| | destIp | str
| | destPort | str
| | protocol | str
| | uri | str
| | canonicalName | str
| | destinationPort | int8
| | fileHash | str
| | fileType | str
| | fileSizeBytes | int8
| | disposition | str
| | action | str
| | deviceMac | str
| | priority | str
| | classification | str
| | blocked | bool
| | message | str
| | signature | str
| | sigSource | str
| | ruleId | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
network.meraki.eventsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | serverdate | timestamp
| | | | dvc_host | str
| | vhost | | dvc_name | str
| | | | type | str
| | | | vpn_type | str
| | | | peer_contact | str
| | | | peer_ident | str
| | | | connectivity | bool
| | | | radio | str
| | | | vap | str
| | | | process_name | str
| | | | pid | str
| | | | client_ip | ip4
| | | | client_internal_ip | ip4
| | | | client_mac | str
| | | | channel | str
| | | | active | str
| | | | rssi | str
| | | | skip | str
| | | | clients | str
| | | | mesh_in | str
| | | | mesh_out | str
| | | | duration | float8
| | | | auth_neg_failed | str
| | | | auth_neg_duration | float8
| | | | last_auth_ago | float8
| | | | is_wpa | str
| | | | full_conn | float8
| | | | ip_resp | float8
| | | | ip_src | ip4
| | | | arp_resp | float8
| | | | arp_src | ip4
| | | | dns_server | ip4
| | | | dns_req_rtt | float8
| | | | dns_resp | float8
| | | | original_server_ip | ip4
| | | | original_server_mac | str
| | | | server_ip | ip4
| | | | server_port | str
| | | | server_mac | str
| | | | dhcp_failed | str
| | | | reason | str
| | | | instigator | str
| | | | device_ip | str
| | | | http_resp | float8
| | | | load | str
| | | | best_ap | ip4
| | | | best_ap_load | str
| | | | best_ap_rssi | str
| | | | aid | str
| | | | spi | str
| | | | spi_inbound | str
| | | | spi_outbound | str
| | | | inbound_bytes | int8
| | | | outbound_bytes | int8
| | | | proto_id | str
| | | | source_client_assigned_vlan | int4
| | | | last_illegal_ip_mapped_vlan_id | int4
| | | | client_total_illegal_packets | int8
| | | | all_total_illegal_packets | int8
| | | | last_reported_total | int8
| | | | lease_ip | ip4
| | | | router_ip | ip4
| | | | subnet | ip4
| | | | dns1 | ip4
| | | | dns2 | ip4
| | | | vpn_name | str
| | | | vpn_id | str
| | | | local_subnet | str
| | | | local_tunnel | str
| | | | remote_subnet | str
| | | | remote_tunnel | str
| | | | user_id | str
| | | | local_ip | str
| | | | local_ip4 | ip4
| | local_ip | | url | str
| | | | rawMessage | str
| | | ✓ | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
network.meraki.firewallField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | server_date | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | log_type | str
| | | source_ip | ip4
| | | destination_ip | ip4
| | | mac | str
| | | protocol | str
| | | srcPort | int4
| | | dstPort | int4
| | | icmpType_1 | str
| | | pattern_1 | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawSource | str
| | ✓ |
network.meraki.flowsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | serverdate | timestamp
| | | | dvc_host | str
| | vhost | | dvc_name | str
| | | | action | str
| Code Block |
---|
(action_1 != null) ? action_1 : (startswith(pattern, "1")) ? "deny" : (startswith(pattern, "0")) ? "allow" : (pattern ->> "allow") ? "allow" : (pattern ->> "deny") ? "deny" : null("") |
| action_1 pattern | | logtype | str
| | | | srcIp | ip4
| | | | srcPort | int4
| | | | dstIp | ip4
| | | | dstPort | int4
| | | | proto | str
| | | | mac | str
| | | | icmpType | str
| Code Block |
---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern:', 0) : icmpType_1 |
| icmpType_1 | | pattern | str
| Code Block |
---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern: ', 1) : pattern_1 |
| pattern_1 icmpType_1 | | translated_src_ip | ip4
| | | | translated_dst_ip | ip4
| | | | translated_port | int4
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
network.meraki.idsAlertsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | serverdate | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | srcIp | ip4
| | | srcPort | int4
| | | dstIp | ip4
| | | dstPort | int4
| | | signature | str
| | | priority | int4
| | | tstamp | timestamp
| | | dhost | str
| | | direction | str
| | | proto | str
| | | message | str
| | | unknown | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
network.meraki.ip_flow_endField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | serverdate | timestamp
| | | | dvc_host | str
| | vhost | | dvc_name | str
| | | | action | str
| Code Block |
---|
(action_1 != null) ? action_1 : (startswith(pattern, "1")) ? "deny" : (startswith(pattern, "0")) ? "allow" : (pattern ->> "allow") ? "allow" : (pattern ->> "deny") ? "deny" : null("") |
| action_1 pattern | | logtype | str
| | | | srcIp | ip4
| | | | srcPort | int4
| | | | dstIp | ip4
| | | | dstPort | int4
| | | | proto | str
| | | | mac | str
| | | | icmpType | str
| Code Block |
---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern:', 0) : icmpType_1 |
| icmpType_1 | | pattern | str
| Code Block |
---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern: ', 1) : pattern_1 |
| pattern_1 icmpType_1 | | translated_src_ip | ip4
| | | | translated_dst_ip | ip4
| | | | translated_port | int4
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
network.meraki.ip_flow_startField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | serverdate | timestamp
| | | | dvc_host | str
| | vhost | | dvc_name | str
| | | | action | str
| Code Block |
---|
(action_1 != null) ? action_1 : (startswith(pattern, "1")) ? "deny" : (startswith(pattern, "0")) ? "allow" : (pattern ->> "allow") ? "allow" : (pattern ->> "deny") ? "deny" : null("") |
| action_1 pattern | | logtype | str
| | | | srcIp | ip4
| | | | srcPort | int4
| | | | dstIp | ip4
| | | | dstPort | int4
| | | | proto | str
| | | | mac | str
| | | | icmpType | str
| Code Block |
---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern:', 0) : icmpType_1 |
| icmpType_1 | | pattern | str
| Code Block |
---|
(icmpType_1 -> 'pattern: ') ? split(icmpType_1, 'pattern: ', 1) : pattern_1 |
| pattern_1 icmpType_1 | | translated_src_ip | ip4
| | | | translated_dst_ip | ip4
| | | | translated_port | int4
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
network.meraki.l7_firewallField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | epoch_time | str
| | | host | str
| vhost | | log_type | str
| | | source_ip | ip4
| | | destination_ip | ip4
| | | protocol | str
| | | sport | str
| | | dport | str
| | | decision | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
network.meraki.security_eventField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | host | str
| vhost | | serverdate | timestamp
| | | dvc_name | str
| | | logtype | str
| | | subtype | str
| | | url | str
| | | src_ip | ip4
| | | src_port | str
| | | dst_ip | ip4
| | | dst_port | str
| | | mac | str
| | | name | str
| | | sha256 | str
| | | disposition | str
| | | action | str
| | | hostchain | str
| | v | tag | str
| | ✓ | rawMessage | str
| | |
network.meraki.switchField | Type | Extra fields |
---|
eventdate | timestamp
| | serverdate | timestamp
| | dvc_name | str
| | dvc_ip | str
| | type | str
| | port | str
| | identity | str
| | resp | str
| | rtt | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
network.meraki.urlsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | serverdate | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | srcIp | ip4
| | | srcPort | int4
| | | dstIp | ip4
| | | dstPort | int4
| | | mac | str
| | | method | str
| | | url | str
| | | user_agent | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
network.meraki.vpn_firewallField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | server_date | timestamp
| | | dvc_host | str
| vhost | | dvc_name | str
| | | log_type | str
| | | source_ip | ip4
| | | destination_ip | ip4
| | | mac | str
| | | protocol | str
| | | srcPort | int4
| | | dstPort | int4
| | | icmpType_1 | str
| | | pattern_1 | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawSource | str
| | |
|