The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
Cisco Meraki is a hardware vendor and sells cloud-controlled security appliances (firewall), switches, and access points via a centralized managed platform. This technology pack will process Cisco Meraki logs, providing normalization and enrichment of common events of interest.
Supported Version(s)
- Up to MX16.9+
- Up to MR 30.x
Supported Log MR Types
association
, disassociation
, wpa_auth
, wpa_deauth
, flows
, 8021x_eap_failure
, 8021x_deauth
, 8021x_auth
, 8021x_eap_success
, splash_auth
, mac_spoofing
, multiple_servers
, and device_packet_flood
Stream Configuration
This technology pack includes one stream:
- “Illuminate:Cisco Device Messages”
If this stream is already created then nothing will be changed. This stream will be created if it does not exist, and it will be configured to route messages to the Cisco Devices index set. There should not be any rules configured for this stream.
Index Set Configuration
This technology pack includes one index set definition:
- “Cisco Devices Event Log Messages”
If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
Log Format Examples
1 1619032507.590967163 ip_flow_end src=1.1.1.1 dst=2.2.2.2 protocol=icmp translated_dst_ip=4.4.4.4
1 1619032507.495518695 DEVICE_NAME flows src=1.1.1.1 dst=2.2.2.2 protocol=udp sport=1900 dport=1900 pattern: 1 all
Requirements
- Configure Cisco Meraki to transmit Syslog to your Graylog server Syslog input.
Cisco Meraki devices are sometimes configured to send epoch timestamps with nanoseconds; the Graylog syslog input cannot parse these messages and will drop them. If your device is configured to send nanosecond timestamps please configure a Raw/Plaintext UDP
input for Graylog and configure the Meraki to send logs to the raw input. This input must be configured to use a different port than any other existing UDP input. The parsing of epoch timestamps will be addressed in a future version of Graylog.
What is Provided
- Parsing rules to extract Cisco Meraki logs into Graylog schema compatible fields.