Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Cisco Meraki

The JSA DSM for Cisco Meraki collects Syslog events from a Cisco Meraki device.

To integrate Cisco Meraki with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of Cisco Meraki DSM RPM on your JSA Console.

  2. Configure your Cisco Meraki device to send Syslog events to JSA.

  3. If JSA does not automatically detect the log source, add Cisco Meraki log source on the JSA Console.

    The following table describes the parameters that require specific values to collect events from Cisco Meraki:

    Table 1: Cisco Meraki Syslog Log Source Parameters

    Parameter

    Value

    Log Source type

    Cisco Meraki

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IPv4 address or host name that identifies the log source.

    If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.
    Tip:

    Cisco Meraki does not send events with RFC3164 or RFC5424 headers. As a result, log sources are auto discovered with the log source identifier of the packet IP of the event instead of the hostname or IP address that is in the header. Use the Syslog redirect protocol to use the value in the header instead of the value in the packet IP.

Cisco Meraki DSM Specifications

When you configure the Cisco Meraki DSM, understanding the specifications for the Cisco Meraki DSM can help ensure a successful integration. For example, knowing what protocol to use before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Cisco Meraki DSM.

Table 2: Cisco Meraki DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Meraki

RPM file name

DSM-CiscoMeraki-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Syslog

Event format

Syslog

Recorded event types

Events

Flows

security_event ids_alerted

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

(https:// Meraki.cisco.com)

Configure Cisco Meraki to Communicate with JSA

To collect Cisco Meraki events, configure your Cisco Meraki device to send Syslog events to JSA.

Configure Cisco Meraki to communicate with JSA by following the Syslog Server Overview and Configuration steps on (https:// Meraki.cisco.com).

Cisco Meraki Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cisco Meraki sample messages when you use the Syslog protocol

Sample 1: The following sample event message shows an outbound flow event that is used to initiate an IP session. It also shows the source, destination, and port number values along with the firewall rule that they matched.

Table 3: Highlighted fields

JSA field name

Highlighted payload field name

Event ID

In JSA, the value is always Outbound Flow Allow for these types of events.

Source IP

src

Destination IP

dst

Destination MAC

mac

Protocol

protocol

Source Port

sport

Destination Port

dport

Sample 2: The following sample event message shows a security event that is generated when an array out of bounds write attempt is made. It also shows the source, destination, port numbers, destination MAC, and protocol values.

Table 4: Highlighted fields

JSA field name

Highlighted payload field name

Event ID

signature

Source IP

src

Source Port

The value that is used for the Source Port displays after the colon in the src value. For example, 80.

Destination IP

dst

Destination Port

The value that is used for the Destination Port displays after the colon in the dst value. For example, 61019.

Destination MAC

dhost

Protocol

protocol