firewall.meraki
Introduction
The tags beginning with firewall.meraki
identify events generated by
Valid tags and data tablesÂ
The full tag must have 3 levels. The first two are fixed as firewall.meraki
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Firewall Meraki |
|
|
|
| |
|
| |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
firewall.meraki.events
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
serverdate |
| Â | Â | Â |
fwip |
| ip4(split(split(hostchain, "/")[0], "=")[1]) | hostchain | Â |
fwname |
| Â | Â | Â |
logtype |
| Â | Â | Â |
message |
| Â | Â | Â |
description |
| Â | Â | Â |
protocol |
| Â | Â | Â |
source_ip |
| Â | Â | Â |
source_port |
| Â | Â | Â |
destination_ip |
| Â | Â | Â |
destination_port |
| Â | Â | Â |
spi |
| Â | Â | Â |
type |
| Â | Â | Â |
vpn_type |
| Â | Â | Â |
peer_contact_ip |
| Â | Â | Â |
peer_contact_port |
| Â | Â | Â |
peer_ident |
| Â | Â | Â |
connectivity |
| Â | Â | Â |
source_mac |
| Â | Â | Â |
destination_mac |
| Â | Â | Â |
subnet |
| Â | Â | Â |
dns |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
firewall.meraki.flows
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
serverdate |
| Â | Â | Â |
fwip |
| ip4(split(split(hostchain, "/")[0], "=")[1]) | hostchain | Â |
fwname |
| Â | Â | Â |
logtype |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
dstIp |
| Â | Â | Â |
dstPort |
| Â | Â | Â |
proto |
| Â | Â | Â |
mac |
| Â | Â | Â |
pattern |
| Â | Â | Â |
icmpType |
| Â | Â | Â |
action |
| (pattern -> "1") ? "deny" : (pattern -> "0") ? "allow" : (pattern -> "allow") ? "allow" : (pattern -> "deny") ? "deny" : null("") | pattern | Â |
translatedSrcIp |
| Â | Â | Â |
translatedPort |
| Â | Â | Â |
unknown |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
firewall.meraki.idsAlerts
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
serverdate |
| Â | Â | Â |
fwip |
| hostchain | Â | |
fwname |
| Â | Â | Â |
logtype |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
dstIp |
| Â | Â | Â |
dstPort |
| Â | Â | Â |
signature |
| Â | Â | Â |
priority |
| Â | Â | Â |
tstamp |
| Â | Â | Â |
dhost |
| Â | Â | Â |
direction |
| Â | Â | Â |
proto |
| Â | Â | Â |
message |
| Â | Â | Â |
unknown |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
firewall.meraki.urls
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
serverdate |
| Â | Â | Â |
fwip |
| hostchain | Â | |
fwname |
| Â | Â | Â |
logtype |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
dstIp |
| Â | Â | Â |
dstPort |
| Â | Â | Â |
mac |
| Â | Â | Â |
method |
| Â | Â | Â |
url |
| Â | Â | Â |
unknown |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
Â