network.meraki

Introduction

The tags beginning with network.meraki identify events generated by Cisco Meraki Network Security products.

Valid tags and data tables

The full tag must have at least 3 levels. The first two are fixed as network.meraki. The third level identifies the type of events sent. The fourth. fifth and sixth levels indicate the event subtypes and are used in the network.meraki.api tags.

These are the valid tags and corresponding data tables that will receive the parsers' data:

How is the data sent to Devo?

To send logs to the network.meraki.api.events and network.meraki.api.security_events tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Cisco Meraki.

For the rest of tables, you must define a specific relay rule to send the events to Devo properly. For events generated by Meraki MS Switches, use rule 1; for events generated by a Meraki MX Security Appliance or a Meraki MR Access Point, you must use rule 2. For more information about event types and log samples, check this article.

Rule 1 - Switch events

Create a rule with the following values for logs generated by Meraki MS Switch devices (the port number can be any free port on your relay):

• Source port → 13005
• Target tag → network.meraki.switch
• Check the Stop processing and Sent without syslog tag checkboxes

Rule 2 - Other events

Use this rule for events generated by a Meraki MX Security Appliance or a Meraki MR Access Point. If you configure this rule, the relay will apply a tag that begins with network.meraki when the source conditions are met. A regular expression in the Source Data field describes the format of the event data and identifies the event type as a capturing group. This capturing group is extracted from the event and used to create the third level of the tag.

Define the rule using the following values (the port number can be any free port on your relay):

• Source port → 13005
• Source data → ^[^ ]+ [^ ]+ ([^ ]+) .*
• Target tag → network.meraki.\\D1
• Target message → \\D0
• Check the Stop processing and Sent without syslog tag checkboxes

Configure log forwarding from Meraki

There are a couple of ways to configure the output to a Syslog Server in Meraki. Consult the vendor documentation for instructions. 

If your environment has multiple MX devices using a site-to-site VPN, and the logging is done to a Devo Relay outside the VPN, be sure that you create a site-to-site firewall rule that will permit outbound traffic to the relay. Consult the vendor documentation for instructions for creating an outbound traffic rule. In this rule, the Source should be the Internet port 1 address of the sending machine. The Destination should be the IP address of the Devo Relay and the Dst Port should be the relay port specified in the Devo Relay rule.

Log samples

The following are sample logs sent to some of the network.meraki data tables. Also, find how the information will be parsed in your data table under each sample log.

network.meraki.flows

2021-09-13 14:23:53.373 localhost=127.0.0.1 network.meraki.flows: 2014-03-27 00:01:06.523 1=192.168.1.252/ubuntu-virtual-machine=200.72.71.131/public-amazon-relay-eu-west-1-ec2-176-34-223-47=10.32.47.245 network.meraki.flows: 1395878466.183408315 Orion_Chile_Firewall_ flows src=64.76.154.124 dst=200.72.71.132 protocol=icmp type= pattern: 0 src 64.76.154.124 && dst 200.72.71.132
2021-09-13 14:23:53.373 localhost=127.0.0.1 network.meraki.flows: 2014-03-27 00:00:00.098 1=192.168.1.252/ubuntu-virtual-machine=200.72.71.131/public-amazon-relay-eu-west-1-ec2-176-34-223-47=10.32.47.245 network.meraki.flows: 1395878399.813590519 Orion_Chile_Firewall_ flows src=192.168.1.91 dst=50.16.114.165 mac=00:26:C7:D8:A5:24 protocol=tcp sport=9936 dport=32137 pattern: allow all
2021-09-13 14:52:10.559 localhost=127.0.0.1 network.meraki.flows: 1395878399.813590519 Orion_Chile_Firewall_ flows src=192.168.1.91 dst=50.16.114.165 mac=00:26:C7:D8:A5:24 protocol=tcp sport=9936 dport=32137 pattern: allow all
2021-09-13 14:52:10.559 localhost=127.0.0.1 network.meraki.flows: 1395878466.183408315 Orion_Chile_Firewall_ flows src=64.76.154.124 dst=200.72.71.132 protocol=icmp type= pattern: 0 src 64.76.154.124 && dst 200.72.71.132
2021-09-15 10:29:29.606 localhost=127.0.0.1 network.meraki.flows: 1395878399.813590519 Orion_Chile_Firewall_ flows src=192.168.1.91 dst=50.16.114.165 mac=00:26:C7:D8:A5:24 protocol=tcp sport=9936 dport=32137 pattern: allow all

And this is how the log would be parsed:

network.meraki.api.events

<14>2021-05-07 13:28:32.879 localhost=127.0.0.1 network.meraki.api.events.1.json: {"occurredAt": "2018-02-11T00:00:00.090210Z", "networkId": "N_24329156", "type": "association", "description": "802.11 association", "clientId": "k74272e", "clientDescription": "Miles\'s phone", "deviceSerial": "Q234-ABCD-5678", "deviceName": "My AP", "ssidNumber": 1, "ssidName": "My SSID", "eventData": {"radio": "1", "vap": "1", "client_mac": "2e:21:fe:61:86:2b", "client_ip": "60.59.246.49", "channel": "36", "rssi": "12", "aid": "2104009183"}}

And this is how the log would be parsed:

network.meraki.api.security_events

<14>2021-05-07 13:27:42.796 localhost=127.0.0.1 network.meraki.api.security_events.1.json: {"ts": "2020-03-20T16:00:10.144989Z", "eventType": "File Scanned", "clientName": "COMPUTER-M-V78J", "clientMac": "bb:61:0f:de:e2:bf", "clientIp": "7.236.164.168", "srcIp": "7.236.164.168", "destIp": "165.93.191.116", "protocol": "http", "uri": "http://www.favorite-icons.com/program/FavoriteIconsUninstall.exe", "canonicalName": "PUA.Win.Dropper.Kraddare::1201", "destinationPort": 80, "fileHash": "3ec1b9a95fe62aa25fc959643a0f227b76d253094681934daaf628d3574b3463", "fileType": "MS_EXE", "fileSizeBytes": 193688, "disposition": "Malicious", "action": "Blocked"}

And this is how the log would be parsed: