Skip to main content
Sumo Logic

Collect logs for the Cisco Meraki App

This page provides instructions for configuring log collection for the Cisco Meraki App, as well as log and query examples.

This page provides instructions for configuring log collection for the Cisco Meraki App, as well as log and query examples.

Configure log collection for Cisco Meraki

In this task, you configure an installed collector with a Syslog source that acts as a Syslog server to receive logs and events from Cisco Meraki.

  1. Configure an Installed Collector.

  2. Add a Syslog source to the installed collector:

    1. Name. (Required) A name is required.

    2. Description. Optional.

    3. Protocol. UDP or TCP.  Choose the protocol you configured in Cisco Meraki for Syslog forwarding.

    4. Port. Port number. Choose the port you configured in Cisco Meraki for Syslog forwarding.

    5. Source Category. (Required) Provide a realistic Source Category for this data type. For example: prod/ciscomeraki. For more information, see Best Practices.

  3. Click Save

Configure Log Forwarding at Cisco Meraki

On the Cisco Meraki platform, you can configure the export of syslog events under Network-wide > General > Reporting > Syslog Servers. The following task is an example of how to configure forwarding for syslog IDS/IPS events.

To configure forwarding for syslog IDS/IPS events, do the following:

  1. On the Cisco Meraki platform, navigate to Network-wide > General > Reporting.
  2. Add the IDS alerts syslog role.

For more information on configuring log forwarding from Cisco Meraki, see the following Cisco Meraki documentation.

Sample Log Messages

security_event log sample
<134>1 1563249630.774247467 remote_DC1_appliance security_event ids_alerted signature=1:41944:2 priority=1 timestamp=TIMESTAMPEPOCH.647461
dhost=74:86:7A:D9:D7:AA direction=ingress protocol=tcp/ip src=23.6.199.123:80 dst=10.1.10.51:56938 message: BROWSER-IE 
Microsoft Edge scripting engine security bypass css attempt

2019-07-16 04:00:30 Local0.Info 172.40.20.177 1 1561036264.565291108 australia_sydney security_event security_filtering_file_scanned 
url=http://tlu123.dl123.delivery.mp.microsoft.com/filestreamingservice/files/36ec4eb7-46dd-4aeb-990e-b6d32f7ed567?P1=1561036860&amp;
P2=402&amp;P3=2&amp;P4=Zj3qRDR5CbzfWlP8BuYg%2bUlTon0XE774ExEEquiawstLAJ2%2bQm3OoWLcwz3HBt8qp3r3buVRVoT5BQcUCcNlXw%3d%3d src=172.16.10.98:64160 
dst=200.188.210.42:180 mac=20:1C:BC:B2:0F:20 name='' sha256=093e4fc218b27e58e2fede7b8cb044d48d66995ae785bbc186a9df5ae08ca4f7 
disposition=malicious action=block
urls log sample
<134>1 1563249910.949155659 AP_firstfloor urls src=10.1.10.113:54877 dst=10.1.10.209:1400 mac=13:0C:AC:B2:0F:11 
agent='Spotify/110600113 OSX/0 (MacBookAir7,2)' request: GET http://10.1.10.209:1400/spotifyzc?action=getInfo

<134>1 1563261310.844330465 india_headoffice1 urls src=10.1.10.133:49305 dst=172.200.0.42:443 mac=13:0C:AC:B2:0F:11 
request: UNKNOWN https://appswaldo-pa.clients6.google.com/...
flows log sample
<134>1 1563246850.048798929 Head_office_Appliance flows allow src=192.168.254.135 dst=192.168.254.7 mac=E8:E8:B7:35:4A:C2 
protocol=udp sport=33787 dport=35

<134>1 1563262452.817053535 Reception_Bad_ flows deny src=10.20.41.19 dst=192.168.0.219 mac=19:EC:C5:7A:B2:2D protocol=tcp 
sport=61822 dport=8080
air_marshal log sample
<134>1 1563262058.692773343 AP_secondfloor airmarshal_events type=ssid_spoofing_detected ssid='Sumo-Guest' vap='10' 
bssid='9A:69:66:99:66:9A' src='64:92:49:26:99:64' dst='00:00:48:04:00:1F' channel='36' rssi='32' fc_type='0' fc_subtype='8'

<134>1 1563260410.364008273 AP_firstfloor airmarshal_events type=rogue_ssid_detected ssid='Library' bssid='B2:60:F1:71:81:FD' 
src='B2:60:F1:71:81:FD' dst='FF:FF:FF:FF:FF:FF' wired_mac='90:60:FF:71:81:FD' vlan_id='0' channel='2' rssi='55' fc_type='0' 
fc_subtype='8'
event log sample
2019-07-16 05:00:10 Local0.Info 172.33.222.111 1 1563253210.652261509 Head_office_Appliance events type=vpn_registry_change 
vpn_type='site-to-site' connectivity='true'

2019-07-16 05:00:10 Local0.Info 172.33.222.111 1 1563253210.025977456 main_branch_appliance events type=vpn_connectivity_change 
vpn_type='site-to-site' peer_contact='108.176.1.238:57357' peer_ident='449bc8f664862e11df74de400df333df' connectivity='false'

2019-07-16 07:27:37 Local0.Info 172.33.222.111 1 1563262057.262021278 HQ_Switch1 events Power supply Q2AS-95FW-7776 was inserted 
into slot 1

Query sample 

The following query is from the High Severity Threats panel of the Cisco Meraki - Overview dashboard.

_sourceCategory=*meraki* "security_event"
| parse regex " (?<name>\S*?)\s(?<msg_type>urls|flows|events|ids-alerts|security_event|airmarshal_events?)\s+"
| parse "security_event * signature=* priority=* timestamp=* dhost=* direction=* protocol=* src=*:* dst=*:* message: *" as type, signature, priority, timestamp, dhost, direction, protocol, src_ip, src_port, dest_ip, dest_port, msg nodrop
| parse "security_event * name='*' sha256=* disposition=* action=*" as type, name2, sha256, disposition, action nodrop
| parse "security_event * url=* src=*:* dst=*:* mac=* name='*' sha256=* disposition=* action=*" as type, url, src_ip, src_port, dest_ip, dest_port, mac, name2, sha256, disposition, action nodrop
| where priority="1" and msg_type="security_event"
| if (priority="1", "High", if (priority="2", "medium", if (priority="3", "Low", if (priority="4", "Very Low", priority)))) as priority
| count as threatCount