The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Cisco Meraki is a hardware vendor and sells cloud-controlled security appliances (firewall), switches, and access points via a centralized managed platform. This technology pack will process Cisco Meraki logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

  • Up to MX16.9+

  • Up to MR30.x

Supported Log MR Types

association, disassociation, wpa_auth, wpa_deauth, flows, 8021x_eap_failure, 8021x_deauth, 8021x_auth, 8021x_eap_success, splash_auth, mac_spoofing, multiple_servers, and device_packet_flood

Requirements

  • Configure Cisco Meraki to transmit Syslog to your Graylog server Syslog input.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Cisco Device Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Cisco Devices Event Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Examples

1 1619032507.590967163 ip_flow_end src=1.1.1.1 dst=2.2.2.2 protocol=icmp translated_dst_ip=4.4.4.4

1 1619032507.495518695 DEVICE_NAME flows src=1.1.1.1 dst=2.2.2.2 protocol=udp sport=1900 dport=1900 pattern: 1 all

What is Provided

  • Parsing rules to extract Cisco Meraki logs into Graylog schema compatible fields.

GIM Categorization

GIM categorization is provided for the following messages:

vendor_event_type gim_event_type_code
ip_flow_start 129999
ip_flow_end 129999
flows 129999
ids_alerted 300000
urls 180100
authentication 109999
security_filtering_file_scanned 300000