Cisco Meraki Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Cisco Meraki is a hardware vendor and sells cloud-controlled security appliances (firewalls), switches, and access points via a centralized managed platform. This technology pack processes Cisco Meraki logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

  • Up to MX16.9+

  • Up to MR30.x

Supported Event Types

MR (Wireless): association, disassociation, wpa_auth, wpa_deauth, wpa_client_deauth, 8021x_auth, 8021x_deauth, 8021x_client_deauth, 8021x_eap_success, 8021x_eap_failure, 8021x_guest_auth, 8021x_critical_auth, splash_auth, mac_spoofing_attack, multiple_dhcp_servers_detected, device_packet_flood, rogue_ssid_detected, ssid_spoofing_detected, aps_association_reject, dfs_event

MX (Security Appliance): flows, ip_flow_start, ip_flow_end, firewall, vpn_firewall, cellular_firewall, bridge_anyconnect_client_vpn_firewall, urls, ids-alerts, security_event (ids_alerted, security_filtering_file_scanned, security_filtering_disposition_change), authentication, dhcp, content_filtering_block, nbar_block, anyconnect_vpn_connect, anyconnect_vpn_disconnect, anyconnect_vpn_auth_success, anyconnect_vpn_auth_failure, client_vpn_connect, client_vpn_disconnect, vrrp, vpn_connectivity_change, route_connection_change

Requirements

  • Configure Cisco Meraki to transmit Syslog to your Graylog server Syslog input.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Cisco Device Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Cisco Devices Event Log Messages"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Examples

1 1619032507.590967163 ip_flow_end src=1.1.1.1 dst=2.2.2.2 protocol=icmp translated_dst_ip=4.4.4.4

1 1619032507.495518695 DEVICE_NAME flows src=1.1.1.1 dst=2.2.2.2 protocol=udp sport=1900 dport=1900 pattern: 1 all

What is Provided

  • Parsing rules to extract Cisco Meraki logs into Graylog schema-compatible fields.

  • Graylog Information Model categorization and enforcement fields for authentication, network flow, IDS/IPS, HTTP, and DHCP events.

GIM Categorization

GIM categorization is provided for the following messages:

vendor_event_type gim_event_type_code GIM Category GIM Subcategory GIM Event Type
authentication 100000|100500 authentication authentication.logon + credential_validation logon + credential validation
8021x_auth 100000|100500 authentication authentication.logon + credential_validation logon + credential validation
8021x_eap_success 100000|100500 authentication authentication.logon + credential_validation logon + credential validation
8021x_guest_auth 100000|100500 authentication authentication.logon + credential_validation logon + credential validation
wpa_auth 100000|100500 authentication authentication.logon + credential_validation logon + credential validation
splash_auth 100000|100500 authentication authentication.logon + credential_validation logon + credential validation
anyconnect_vpn_auth_success 100000|100500 authentication authentication.logon + credential_validation logon + credential validation
anyconnect_vpn_connect 100000 authentication authentication.logon logon
client_vpn_connect 100000 authentication authentication.logon logon
association 100000 authentication authentication.logon logon
anyconnect_vpn_auth_failure 100000 authentication authentication.logon logon (event_outcome=failure)
8021x_eap_failure 100000 authentication authentication.logon logon (event_outcome=failure)
8021x_deauth 102500 authentication authentication.logoff logoff
8021x_client_deauth 102500 authentication authentication.logoff logoff
wpa_deauth 102500 authentication authentication.logoff logoff
disassociation 102500 authentication authentication.logoff logoff
anyconnect_vpn_disconnect 102500 authentication authentication.logoff logoff
client_vpn_disconnect 102500 authentication authentication.logoff logoff
ip_flow_start 120000 network network.network_connection network connection
ip_flow_end 120000 network network.network_connection network connection
flows 120000 network network.network_connection network connection
nbar_block 120000 network network.network_connection network connection
urls 180100 http http.request http request
dhcp 299999 dhcp dhcp.default dhcp default
ids_alerted 300000 detection detection.network_detection ids_detection
device_packet_flood 300000 detection detection.network_detection ids_detection
security_filtering_file_scanned 300000 detection detection.network_detection ids_detection
mac_spoofing_attack 300001 detection detection.network_detection network_detection
multiple_dhcp_servers_detected 300001 detection detection.network_detection network_detection
rogue_ssid_detected 300001 detection detection.network_detection network_detection
ssid_spoofing_detected 300001 detection detection.network_detection network_detection
security_filtering_disposition_change 300001 detection detection.network_detection network_detection