Cisco Meraki
Collect logs from Cisco Meraki with Elastic Agent.
Version | 1.23.0 (View all) |
Compatible Kibana version(s) | 8.13.0 or higher |
Supported Serverless project types | Security Observability |
Subscription level | Basic |
Level of support | Elastic |
Cisco Meraki offers a centralized cloud management platform for all Meraki devices such as MX Security Appliances, MR Access Points and so on. Its out-of-band cloud architecture creates secure, scalable and easy-to-deploy networks that can be managed from anywhere. This can be done from almost any device using web-based Meraki Dashboard and Meraki Mobile App. Each Meraki network generates its own events.
Cisco Meraki offers several methods for device reporting. This integration supports gathering events via the Cisco Meraki syslog and via API reporting webhooks. The integration package allows you to search, observe, and visualize the events through Elasticsearch.
Compatibility
A syslog server can be configured to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS switches. This package collects events from the configured syslog server. The integration supports collection of events from "MX Security Appliances" and "MR Access Points". The "MS Switch" events are not recognized.
Configuration
Enabling the integration in Elastic
- In Kibana go to Management > Integrations
- In "Search for integrations" search bar type Meraki
- Click on "Cisco Meraki" integration from the search results.
- Click on Add Cisco Meraki Integration button to add the integration.
Cisco Meraki Dashboard Configuration
Syslog
Cisco Meraki dashboard can be used to configure one or more syslog servers and Meraki message types to be sent to the syslog servers. Refer to Syslog Server Overview and Configuration page for more information on how to configure syslog server on Cisco Meraki.
API Endpoint (Webhooks)
Cisco Meraki dashboard can be used to configure Meraki webhooks. Refer to the Webhooks Dashboard Setup section.
Configure the Cisco Meraki integration
Syslog
Depending on the syslog server setup in your environment check one/more of the following options "Collect syslog from Cisco Meraki via UDP", "Collect syslog from Cisco Meraki via TCP", "Collect syslog from Cisco Meraki via file".
Enter the values for syslog host and port OR file path based on the chosen configuration options.
API Endpoint (Webhooks)
Check the option "Collect events from Cisco Meraki via Webhooks" option.
- Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the Endpoint URL
https://{AGENT_ADDRESS}:8686/meraki/events. - Enter value for "Secret value". This must match the "Shared Secret" value entered when configuring the webhook from Meraki cloud.
- Enter values for "TLS". Cisco Meraki requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
Log Events
Enable to collect Cisco Meraki log events for all the applications configured for the chosen log stream.
Logs
Syslog
The cisco_meraki.log dataset provides events from the configured syslog server. All Cisco Meraki syslog specific fields are available in the cisco_meraki.log field group.
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
cisco_meraki.8021x_auth | flattened | |
cisco_meraki.8021x_deauth | flattened | |
cisco_meraki.8021x_eap_failure | flattened | |
cisco_meraki.8021x_eap_success | flattened | |
cisco_meraki.anyconnect_vpn_session_manager.action | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.bytes_in | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.bytes_out | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.conn_id | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.duration | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.filter | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.ip | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.peer_ip | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.reason | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.session_id | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.session_type | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.tunnel_id | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.tunnel_type | keyword | |
cisco_meraki.anyconnect_vpn_session_manager.user_name | keyword | |
cisco_meraki.aps_association_reject | flattened | |
cisco_meraki.association | flattened | |
cisco_meraki.bssid | keyword | |
cisco_meraki.channel | keyword | |
cisco_meraki.device_packet_flood | flattened | |
cisco_meraki.dfs_event | flattened | |
cisco_meraki.disassociation | flattened | |
cisco_meraki.disposition | keyword | |
cisco_meraki.event_subtype | keyword | |
cisco_meraki.event_type | keyword | |
cisco_meraki.fc_subtype | keyword | |
cisco_meraki.fc_type | keyword | |
cisco_meraki.firewall.action | keyword | |
cisco_meraki.firewall.pattern | keyword | |
cisco_meraki.firewall.rule | keyword | |
cisco_meraki.flows | flattened | |
cisco_meraki.martian_vlan.Client | keyword | |
cisco_meraki.martian_vlan.MAC | keyword | |
cisco_meraki.martian_vlan.VLAN | keyword | |
cisco_meraki.martian_vlan.details | text | |
cisco_meraki.martian_vlan.summary | text | |
cisco_meraki.multiple_dhcp_servers_detected | flattened | |
cisco_meraki.mxport | keyword | |
cisco_meraki.new_port_status | keyword | |
cisco_meraki.old_port_status | keyword | |
cisco_meraki.port | keyword | |
cisco_meraki.security.action | keyword | |
cisco_meraki.security.decision | keyword | |
cisco_meraki.security.dhost | keyword | |
cisco_meraki.security.mac | keyword | |
cisco_meraki.security.priority | keyword | |
cisco_meraki.security.signature | keyword | |
cisco_meraki.site_to_site_vpn.connectivity_change | flattened | |
cisco_meraki.site_to_site_vpn.raw | text | |
cisco_meraki.splash_auth | flattened | |
cisco_meraki.urls.mac | keyword | |
cisco_meraki.vap | keyword | |
cisco_meraki.wpa_auth | flattened | |
cisco_meraki.wpa_deauth | flattened | |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset | constant_keyword |
event.module | Event module | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Input type. | keyword |
log.offset | Offset of the entry in the log file. | long |
log.source.address | Source address from which the log event was read / sent from. | keyword |
An example event for log looks as following:
{
"@timestamp": "2021-11-23T18:13:18.348Z",
"agent": {
"ephemeral_id": "bd9fe1e0-a3cd-42b7-9b0b-e0946be0c276",
"id": "234cd698-ca4b-4fd7-8a3f-8617e423274a",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.11.0"
},
"cisco_meraki": {
"event_subtype": "ids_alerted",
"event_type": "security_event",
"security": {
"decision": "allowed",
"dhost": "D0-AB-D5-7B-43-73",
"priority": "1",
"signature": "1:29708:4"
}
},
"data_stream": {
"dataset": "cisco_meraki.log",
"namespace": "ep",
"type": "logs"
},
"destination": {
"ip": "10.0.3.162",
"port": 56391
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "234cd698-ca4b-4fd7-8a3f-8617e423274a",
"snapshot": false,
"version": "8.11.0"
},
"event": {
"action": "ids-signature-matched",
"agent_id_status": "verified",
"category": [
"network",
"intrusion_detection"
],
"dataset": "cisco_meraki.log",
"ingested": "2023-11-21T20:46:12Z",
"original": "<134>1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected",
"type": [
"info"
]
},
"input": {
"type": "udp"
},
"log": {
"source": {
"address": "192.168.160.4:52334"
}
},
"message": "BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected",
"network": {
"direction": "ingress",
"protocol": "tcp/ip"
},
"observer": {
"hostname": "MX84"
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.12",
"port": 80
},
"tags": [
"preserve_original_event",
"cisco-meraki",
"forwarded"
]
}API Endpoint (Webhooks)
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened |
cisco_meraki.event.alertId | ID for this alert message | keyword |
cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword |
cisco_meraki.event.alertType | Type of alert (“Network usage alert”, “Settings changed”, etc.) | keyword |
cisco_meraki.event.alertTypeId | Unique ID for the type of alert | keyword |
cisco_meraki.event.deviceMac | MAC address of the Meraki device | keyword |
cisco_meraki.event.deviceModel | Meraki device model | keyword |
cisco_meraki.event.deviceName | Name assigned to the Meraki device | keyword |
cisco_meraki.event.deviceSerial | Serial number of the Meraki device | keyword |
cisco_meraki.event.deviceTags | Tags assigned to the Meraki device | keyword |
cisco_meraki.event.deviceUrl | URL of the Meraki device | keyword |
cisco_meraki.event.networkId | ID for the Meraki network | keyword |
cisco_meraki.event.networkName | Name for the Meraki network | keyword |
cisco_meraki.event.networkTags | Tags assigned to the Meraki network | keyword |
cisco_meraki.event.networkUrl | URL of the Meraki Dashboard network | keyword |
cisco_meraki.event.occurredAt | Timestamp of the alert (UTC) | date |
cisco_meraki.event.organizationId | ID of the Meraki organization | keyword |
cisco_meraki.event.organizationName | Name of the Meraki organization | keyword |
cisco_meraki.event.organizationUrl | URL of the Meraki Dashboard organization | keyword |
cisco_meraki.event.sentAt | Timestamp of the sent message (UTC) | date |
cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword |
cisco_meraki.event.version | Current version of webhook format | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset | constant_keyword |
event.module | Event module | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Input type. | keyword |
log.offset | Offset of the entry in the log file. | long |
log.source.address | Source address from which the log event was read / sent from. | keyword |
An example event for events looks as following:
{
"@timestamp": "2018-02-11T00:00:00.123Z",
"agent": {
"ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b",
"id": "29d48081-6d4f-4236-b959-925451410f6f",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.0.0"
},
"cisco_meraki": {
"event": {
"alertData": {
"connection": "LTE",
"local": "192.168.1.2",
"model": "UML290VW",
"provider": "Purview Wireless",
"remote": "1.2.3.5"
},
"alertId": "0000000000000000",
"alertTypeId": "cellular_up",
"deviceTags": [
"tag1",
"tag2"
],
"deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000",
"networkId": "N_24329156",
"networkUrl": "https://n1.meraki.com//n//manage/nodes/list",
"organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview",
"sentAt": "2021-10-07T08:42:00.926325Z",
"sharedSecret": "secret",
"version": "0.1"
}
},
"data_stream": {
"dataset": "cisco_meraki.events",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "29d48081-6d4f-4236-b959-925451410f6f",
"snapshot": false,
"version": "8.0.0"
},
"event": {
"action": "Cellular came up",
"agent_id_status": "verified",
"category": [
"network"
],
"dataset": "cisco_meraki.events",
"ingested": "2023-09-20T09:09:47Z",
"original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}",
"type": [
"info",
"start"
]
},
"input": {
"type": "http_endpoint"
},
"log": {
"level": "informational"
},
"network": {
"name": "Main Office"
},
"observer": {
"mac": [
"00-11-22-33-44-55"
],
"name": "My appliance",
"product": "MX",
"serial_number": "Q234-ABCD-5678",
"vendor": "Cisco"
},
"organization": {
"id": "2930418",
"name": "My organization"
},
"tags": [
"preserve_original_event",
"forwarded",
"meraki-events"
]
}Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.23.0 | Enhancement View pull request | 8.13.0 or higher |
1.22.0 | Enhancement View pull request | 8.12.0 or higher |
1.21.2 | Bug fix View pull request | 8.12.0 or higher |
1.21.1 | Bug fix View pull request | 8.12.0 or higher |
1.21.0 | Enhancement View pull request | 8.12.0 or higher |
1.20.3 | Enhancement View pull request | 7.17.0 or higher |
1.20.2 | Bug fix View pull request | 7.17.0 or higher |
1.20.1 | Bug fix View pull request | 7.17.0 or higher |
1.20.0 | Enhancement View pull request | 7.17.0 or higher |
1.19.0 | Enhancement View pull request | 7.17.0 or higher |
1.18.1 | Bug fix View pull request | 7.17.0 or higher |
1.18.0 | Enhancement View pull request | 7.17.0 or higher |
1.17.1 | Bug fix View pull request | 7.17.0 or higher |
1.17.0 | Enhancement View pull request | 7.17.0 or higher |
1.16.1 | Bug fix View pull request | 7.17.0 or higher |
1.16.0 | Enhancement View pull request | 7.17.0 or higher |
1.15.1 | Bug fix View pull request | 7.17.0 or higher |
1.15.0 | Enhancement View pull request | 7.17.0 or higher |
1.14.0 | Enhancement View pull request | 7.17.0 or higher |
1.13.0 | Enhancement View pull request | 7.17.0 or higher |
1.12.0 | Enhancement View pull request | 7.17.0 or higher |
1.11.1 | Bug fix View pull request | 7.17.0 or higher |
1.11.0 | Enhancement View pull request | 7.17.0 or higher |
1.10.0 | Enhancement View pull request | 7.17.0 or higher |
1.9.0 | Enhancement View pull request | 7.17.0 or higher |
1.8.0 | Enhancement View pull request | 7.17.0 or higher |
1.7.0 | Enhancement View pull request | 7.17.0 or higher |
1.6.0 | Enhancement View pull request | 7.17.0 or higher |
1.5.1 | Enhancement View pull request | 7.17.0 or higher |
1.5.0 | Enhancement View pull request | 7.17.0 or higher |
1.4.1 | Enhancement View pull request | 7.17.0 or higher |
1.4.0 | Enhancement View pull request | 7.17.0 or higher |
1.3.1 | Enhancement View pull request | 7.17.0 or higher |
1.3.0 | Enhancement View pull request | 7.17.0 or higher |
1.2.3 | Bug fix View pull request | 7.17.0 or higher |
1.2.2 | Bug fix View pull request | 7.17.0 or higher |
1.2.1 | Bug fix View pull request | 7.17.0 or higher |
1.2.0 | Enhancement View pull request | 7.17.0 or higher |
1.1.2 | Bug fix View pull request | 7.17.0 or higher |
1.1.1 | Enhancement View pull request | 7.17.0 or higher |
1.1.0 | Enhancement View pull request | 7.17.0 or higher |
1.0.1 | Bug fix View pull request | 7.17.0 or higher |
1.0.0 | Enhancement View pull request | 7.17.0 or higher |
0.6.1 | Enhancement View pull request | — |
0.6.0 | Enhancement View pull request | — |
0.5.1 | Enhancement View pull request | — |
0.5.0 | Enhancement View pull request | — |
0.4.1 | Enhancement View pull request | — |
0.4.0 | Enhancement View pull request | — |
0.3.1 | Bug fix View pull request | — |
0.3.0 | Enhancement View pull request | — |
0.2.3 | Enhancement View pull request | — |
0.2.2 | Bug fix View pull request | — |
0.2.1 | Bug fix View pull request | — |
0.2.0 | Enhancement View pull request | — |
0.1.0 | Enhancement View pull request | — |