Introduction
The tags beginning with network.meraki identify events generated by Cisco Meraki Network Security products.
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed as network.meraki. The third level identifies the type of events sent. The fourth, fifth, and sixth levels indicate the event subtypes and are used in the network.meraki.api tags.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Cisco Meraki |
|
|
| ||
| ||
| ||
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
To send logs to the network.meraki.api.events and network.meraki.api.security_events tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Cisco Meraki collector.
For the rest of tables, you must define a specific relay rule to send the events to Devo properly. For events generated by Meraki MS Switches, use rule 1; for events generated by a Meraki MX Security Appliance or a Meraki MR Access Point, you must use rule 2. For more information about event types and log samples, check this article.
Rule 1 - Switch events
Create a rule with the following values for logs generated by Meraki MS Switch devices (the port number can be any free port on your relay):
Source port →
13005Target tag →
network.meraki.switchCheck the Stop processing and Sent without syslog tag checkboxes
Rule 2 - Other events
Use this rule for events generated by a Meraki MX Security Appliance or a Meraki MR Access Point. If you configure this rule, the relay will apply a tag that begins with network.meraki when the source conditions are met. A regular expression in the Source data field describes the format of the event data and identifies the event type as a capturing group. This capturing group is extracted from the event and used to create the third level of the tag.
You don't need to apply this rule if you are sending Switch events only. In case you need to apply both rules, you must define the Switch rule first.
Define the rule using the following values (the port number can be any free port on your relay):
Source port →
13005Source data →
[^ ]+ [^ ]+ ([^ ]+) .*Target tag →
network.meraki.\\D1Target message →
\\D0Check the Stop processing and Sent without syslog tag checkboxes
Configure log forwarding from Meraki
There are a couple of ways to configure the output to a Syslog Server in Meraki. Consult the vendor documentation for instructions.
If your environment has multiple MX devices using a site-to-site VPN, and the logging is done to a Devo Relay outside the VPN, be sure that you create a site-to-site firewall rule that will permit outbound traffic to the relay. Consult the vendor documentation for instructions for creating an outbound traffic rule. In this rule, the Source should be the Internet port 1 address of the sending machine. The Destination should be the IP address of the Devo Relay and the Dst Port should be the relay port specified in the Devo Relay rule.
Table structure
These are the fields displayed in these tables: