Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Cisco Meraki

The JSA DSM for Cisco Meraki collects Syslog events from a Cisco Meraki device.

To integrate Cisco Meraki with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of Cisco Meraki DSM RPM on your JSA Console.

  2. Configure your Cisco Meraki device to send Syslog events to JSA.

  3. If JSA does not automatically detect the log source, add Cisco Meraki log source on the JSA Console.

    The following table describes the parameters that require specific values to collect events from Cisco Meraki:

    Table 1: Cisco Meraki Syslog Log Source Parameters

    Parameter

    Value

    Log Source type

    Cisco Meraki

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IPv4 address or host name that identifies the log source.

    If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Cisco Meraki DSM Specifications

When you configure the Cisco Meraki DSM, understanding the specifications for the Cisco Meraki DSM can help ensure a successful integration. For example, knowing what protocol to use before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Cisco Meraki DSM.

Table 2: Cisco Meraki DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Meraki

RPM file name

DSM-CiscoMeraki-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Syslog

Event format

Syslog

Recorded event types

Events

Flows

security_event ids_alerted

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

(https:// Meraki.cisco.com)

Configure Cisco Meraki to Communicate with JSA

To collect Cisco Meraki events, configure your Cisco Meraki device to send Syslog events to JSA.

Configure Cisco Meraki to communicate with JSA by following the Syslog Server Overview and Configuration steps on (https:// Meraki.cisco.com).

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides sample event messages when the Syslog protocol for the Cisco Meraki DSM is used:

Table 3: Cisco Meraki DSM Sample Messages Supported by Cisco Meraki

Event name

Low-level category

Sample log message

Inbound Flow

Information

192.168.10.1 1 948077334.886213117 MX60 flows src=39.41.X.X dst=114.18.X.X protocol=udp sport=13943 dport=16329 pattern: 1 all

Outbound Flow

Information

192.168.10.1 1 948136486.721741837 MX60 flows src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

URL-UNKNOWN

Notice

<134>1 1516057359.742046722 JSA_appliance urls src=<Source_IP_address>: <Port>dst-<Destination_IP_address>: <Port>mac= <MAC_address>request:UNKNOWN> https://www.example.com/cgibin/ sdee-server/...

URL-GET

Information

<134>1 1516057357.668297541 JSA_appliance urls src=<Source_IP_address> :<Port>dst-<Destination_IP_address> :<Port>mac=<MAC_address> agent-’Test’ request:GET>https://www.example.com /cgibin/ sdee-server/...

URL-POST

Information

<134>1 1515990652.718750836 JSA_appliance urls src=<Source_IP_address> :<Port>dst-<Destination_IP_address> :<Port>mac=<MAC_address> agent-’Windows- Update-Agent/ <IP_address> Client-Protocol/ 1.40’ request:POST> https://www.example.com/ cgibin/ sdee-server/...

DHCP Lease

Information

<134>1 1516153561.629079842 JSA events dhcp lease of ip <IP_address> from server mac <MAC_address> for client mac <mac> from router<IP_address2> on subnet <IP_address3> with dns <IP_address4>, <IP_address5>

vpn_registry_change

Notice

<134>1 1516085616.402689713 JSA events type=vpn_registry_change vpn_type=’site-to-site’ connectivity=’false’

Content Filtering Block

Notice

<134>1 1516149081.972680893 JSA_appliance events content_filtering_block url=’https://www.example.com/c gi-bin/sdee-server/...’ category0=’Malware Sites’server= ’<IP_address>:<Port>’

MAC Address - IP Conflict

Warning

<134> 1516057331.654660510 JSA events MAC <MAC_address> and MAC <MAC_address> both claim IP: <IP_address>

1:45148

Trojan Detected

134<>1 1516050030.553653046 JSA security_event ids_alerted signature=1:45148:1 priority=1 timestamp=1516050030.236281 dhost=<MAC_address>:<Port> message: BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt