Skip to main content
Sumo Logic

Collect logs for the Cisco Meraki App

This page provides instructions for configuring log collection for the Cisco Meraki App, as well as log and query examples.

This page provides instructions for configuring log collection for the Cisco Meraki App, as well as log and query examples.

Configure log collection for Cisco Meraki

In this task, you configure an installed collector with a Syslog source that acts as a Syslog server to receive logs and events from Cisco Meraki.

  1. Configure an Installed Collector.

  2. Add a Syslog source to the installed collector:

    1. Name. (Required) A name is required.

    2. Description. Optional.

    3. Protocol. UDP or TCP.  Choose the protocol you configured in Cisco Meraki for Syslog forwarding.

    4. Port. Port number. Choose the port you configured in Cisco Meraki for Syslog forwarding.

    5. Source Category. (Required) Provide a realistic Source Category for this data type. For example: prod/ciscomeraki. For more information, see Best Practices.

  3. Click Save

Configure Log Forwarding at Cisco Meraki

On the Cisco Meraki platform, you can configure the export of syslog events under Network-wide > General > Reporting > Syslog Servers. The following task is an example of how to configure forwarding for syslog IDS/IPS events.

To configure forwarding for syslog IDS/IPS events, do the following:

  1. On the Cisco Meraki platform, navigate to Network-wide > General > Reporting.
  2. Add the IDS alerts syslog role.

For more information on configuring log forwarding from Cisco Meraki, see the following Cisco Meraki documentation.

Sample Log Messages

security_event log sample
<134>1 1563249630.774247467 remote_DC1_appliance security_event ids_alerted signature=1:41944:2 priority=1 timestamp=TIMESTAMPEPOCH.647461
dhost=74:86:7A:D9:D7:AA direction=ingress protocol=tcp/ip src= dst= message: BROWSER-IE 
Microsoft Edge scripting engine security bypass css attempt

2019-07-16 04:00:30 Local0.Info 1 1561036264.565291108 australia_sydney security_event security_filtering_file_scanned 
P2=402&amp;P3=2&amp;P4=Zj3qRDR5CbzfWlP8BuYg%2bUlTon0XE774ExEEquiawstLAJ2%2bQm3OoWLcwz3HBt8qp3r3buVRVoT5BQcUCcNlXw%3d%3d src= 
dst= mac=20:1C:BC:B2:0F:20 name='' sha256=093e4fc218b27e58e2fede7b8cb044d48d66995ae785bbc186a9df5ae08ca4f7 
disposition=malicious action=block
urls log sample
<134>1 1563249910.949155659 AP_firstfloor urls src= dst= mac=13:0C:AC:B2:0F:11 
agent='Spotify/110600113 OSX/0 (MacBookAir7,2)' request: GET

<134>1 1563261310.844330465 india_headoffice1 urls src= dst= mac=13:0C:AC:B2:0F:11 
request: UNKNOWN
flows log sample
<134>1 1563246850.048798929 Head_office_Appliance flows allow src= dst= mac=E8:E8:B7:35:4A:C2 
protocol=udp sport=33787 dport=35

<134>1 1563262452.817053535 Reception_Bad_ flows deny src= dst= mac=19:EC:C5:7A:B2:2D protocol=tcp 
sport=61822 dport=8080
air_marshal log sample
<134>1 1563262058.692773343 AP_secondfloor airmarshal_events type=ssid_spoofing_detected ssid='Sumo-Guest' vap='10' 
bssid='9A:69:66:99:66:9A' src='64:92:49:26:99:64' dst='00:00:48:04:00:1F' channel='36' rssi='32' fc_type='0' fc_subtype='8'

<134>1 1563260410.364008273 AP_firstfloor airmarshal_events type=rogue_ssid_detected ssid='Library' bssid='B2:60:F1:71:81:FD' 
src='B2:60:F1:71:81:FD' dst='FF:FF:FF:FF:FF:FF' wired_mac='90:60:FF:71:81:FD' vlan_id='0' channel='2' rssi='55' fc_type='0' 
event log sample
2019-07-16 05:00:10 Local0.Info 1 1563253210.652261509 Head_office_Appliance events type=vpn_registry_change 
vpn_type='site-to-site' connectivity='true'

2019-07-16 05:00:10 Local0.Info 1 1563253210.025977456 main_branch_appliance events type=vpn_connectivity_change 
vpn_type='site-to-site' peer_contact='' peer_ident='449bc8f664862e11df74de400df333df' connectivity='false'

2019-07-16 07:27:37 Local0.Info 1 1563262057.262021278 HQ_Switch1 events Power supply Q2AS-95FW-7776 was inserted 
into slot 1

Query sample 

The following query is from the High Severity Threats panel of the Cisco Meraki - Overview dashboard.

_sourceCategory=*meraki* "security_event"
| parse regex " (?<name>\S*?)\s(?<msg_type>urls|flows|events|ids-alerts|security_event|airmarshal_events?)\s+"
| parse "security_event * signature=* priority=* timestamp=* dhost=* direction=* protocol=* src=*:* dst=*:* message: *" as type, signature, priority, timestamp, dhost, direction, protocol, src_ip, src_port, dest_ip, dest_port, msg nodrop
| parse "security_event * name='*' sha256=* disposition=* action=*" as type, name2, sha256, disposition, action nodrop
| parse "security_event * url=* src=*:* dst=*:* mac=* name='*' sha256=* disposition=* action=*" as type, url, src_ip, src_port, dest_ip, dest_port, mac, name2, sha256, disposition, action nodrop
| where priority="1" and msg_type="security_event"
| if (priority="1", "High", if (priority="2", "medium", if (priority="3", "Low", if (priority="4", "Very Low", priority)))) as priority
| count as threatCount