Skip to main content

Cisco Meraki Source

The Cisco Meraki Source provides a secure endpoint to receive data from the Meraki organization and networks and ingests event logs pertaining to them. It securely stores the required authentication, scheduling, and state tracking information.

note

This source is available in the Fed deployment.

Data collected

Polling IntervalData
Every 12 HoursGet Organizations
Every 12 HoursGet Organization Networks
Every 15 MinutesGet Organization Appliance Security Events
Every 15 MinutesGet Organization Configuration Changes
Every 15 MinutesGet Network Events
Every 15 MinutesGet Network Wireless Air Marshal

Setup

Vendor configuration

In this configuration, you will set up an Meraki source account and configure it to be authorized and authenticated to use device logs and alerts from MERAKI API. To obtain an Meraki auth token, follow the steps below:

  1. Log in to the Meraki application.
  2. Navigate to the Organization, under Configure section, select Settings page.
    cisco-meraki-org-settings.png
  3. Check the Enable access to the Cisco Meraki Dashboard API
    cisco-meraki-org-enable-api.png
  4. Click Save Changes at the bottom of the page.
    cisco-meraki-org-save.png
  5. Navigate to your profile by clicking your name in the upper right corner and select My profile.
    cisco-meraki-my-profile.png
  6. Scroll down to API access and click Generate new API key.
    cisco-meraki-generate-key.png
  7. Save your new API key into your preferred password vault for later use.
    cisco-meraki-save-key.png

For more detailed steps with troubleshooting examples, visit the official documentation here.

Gather Meraki Organization IDs

You will need to provide a single Meraki organization identifier in the configuration. Run the following curl command using your Cisco Meraki API key to see the list of Meraki organizations and note the ID number for the organizations you wish to collect data from.

curl --location 'https://api.meraki.com/api/v1/organizations' --header 'X-Cisco-Meraki-API-Key: {{api_key}}'

Source configuration

When you create an Cisco Meraki Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector. You will need to create a new Cisco Meraki source for every Cisco Meraki organization you want to collect data from.

To configure Cisco Meraki Source:

  1. In Sumo Logic, select Manage Data > Collection > Collection.
  2. On the Collectors page, click Add Source next to a Hosted Collector.
  3. Search for and select Cisco Meraki.
  4. Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
  5. (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called _sourceCategory.
  6. (Optional) Fields. Click the +Add Field link to define the fields you want to associate. Each field needs a name (key) and value.
    • green check circle.png A green circle with a checkmark is shown when the field exists in the Fields table schema.
    • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored (i.e., dropped).
  7. Base URL. It refers to the default URL where your Meraki account is hosted. If you are located in China, you have the option to modify the base URL.
  8. API Key. Provide the API key you generated from your Meraki account.
  9. Meraki Organization ID. Provide the numeric Meraki organization ID of the Meraki org you want to collect data from. You can only provide one ID. Please create multiple sources for multiple Meraki organizations.
  10. Network Event Collection. Enable or disable this option to collect information about your Meraki Networks, their network events, and wireless Air Marshal events.
  11. (Optional) The Polling Interval is set to 300 seconds by default, you can adjust it based on your needs.
  12. When you are finished configuring the Source, click Save.

JSON schema

Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See how to use JSON to configure Sources for details. 

ParameterTypeValueRequiredDescription
schemaRefJSON Object{"type":"Cisco Meraki"}YesDefine the specific schema type.
sourceTypeString"Universal"YesType of source.
configJSON ObjectConfiguration objectYesSource type specific values.

Configuration Object

ParameterTypeRequiredDefaultDescriptionExample
nameStringYesnullType a desired name of the source. The name must be unique per Collector. This value is assigned to the metadata field _source."mySource"
descriptionStringNonullType a description of the source."Testing source"
categoryStringNonullType a category of the source. This value is assigned to the metadata field _sourceCategory. See best practices for details."mySource/test"
fieldsJSON ObjectNonullJSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM.{"_siemForward": false, "fieldA": "valueA"}
baseURLStringYesnullRegion URL of the Cisco Meraki application.
apiSecretKeyStringYesnullCisco Meraki API secret key.
merakiOrgStringYesnullCisco Meraki Organization ID.
pollingIntervalIntegerNo300This sets how often the Source checks for new data.

Troubleshooting

You may receive the follow error below if you enter an invalid Cisco Meraki organization ID in your configuration. Please follow the steps in the section Gather Meraki Organization IDs to ensure you are using an ID for a Meraki organization returned in that query.

{
"state": "Error",
"errorType": "THIRD-PARTY-CONFIG",
"errorCode": 400,
"errorInfo": "meraki '/api/v1/organizations/orgIdInput' not found using API key"
}

Known Issues

  • The integration will return an error containing the text context deadline exceeded (Client.Timeout or context cancellation while reading body). This error occurs when the integration is reading the HTTP body, but reaches our timeout which is currently set to 10 minutes. We have observed this behavior across multiple customers when the integration is fetching data from the Get Network Wireless Air Marshal endpoint. Increasing the timeout does not appear to solve the issue as the network connection to this specific endpoint will occasionally never complete. Sumo Logic recommends customers contact Cisco Meraki support if they encounter this error.
  • Pagination has a rare occurrence to potentially return a small number duplicate logs. This issue has been reported to Cisco.
  • The Cisco Meraki API has a rate limit of 10 API calls every second. The source can have a collection delay if your Meraki organization has thousands of networks with many product types. The Cisco Meraki API for collecting network events requires one API call per network, per product type. There are a total of 6 product types. The API also requires one API call per network for collecting wireless Air Marshal events. This means 2,000 networks can be around 14,000 API calls (2000*6+2000) to retrieve network events, assuming no pagination is needed. At the rate limit of 10 API calls per second, the quickest we could make API calls is around 24 mins. Occasionally, the Cisco Meraki API can take 1 to 2 seconds to respond, which adds to the time. To solve this issue, Cisco would need to raise the API rate limit or provide an API endpoint for collecting network events and wireless Air Marshal events, without the requirement to iterate over each network and product type individually.
  • Cisco Meraki network events API can return a maximum of 1000 events per request. So, integration will be able to process a maximum of 1000 events with the same timestamp. If there are more events than 1000 events with the same timestamp, they will be skipped.

FAQ

info

Click here for more information about Cloud-to-Cloud sources.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.