I really like Meraki cloud concept. It includes complete network stack Firewalls/SD-WAN, WLAN, Switches and Security Cameras (also MDM). Only problem (if we don’t count missing AnyConnect) is logs and query. Now, because I use Graylog for my other projects, I decide to use Graylog3 to my logstorage. There is no ready parsers or dashboards in Graylog marketplace, so I start to make my own.
Here comes parser (GROK based) for MX flow records, enjoy.
First download content pack from my github https://github.com/hrleinonen/graylog-meraki
There is couple roles in Meraki MX which you use to send syslog. I choose to send every role to different port, so I can choose what extractol to use.
File called “Cisco_Meraki_Flow_Content_Pack.json” is for MX flow events. It brings couple new search fields in Graylog3.
New fields are:
- DSTIP = Destination IP-address (eg. 208.67.222.222)
- DSTPORT = Destination port (eg. 53)
- FLOW_TYPE = Flow start or end (eg. ip_flow_end)
- PROTOCOL = Protocol (eg. tcp)
- SRCIP = Source IP-address (eg. 172.16.0.10)
- SRCPORT = Source port (eg. 1007)
- TRANSLATED_DST_IP = Translated destination IP-address (eg. 1.2.3.4)
- TRANSLATED_PORT = Translated port (eg. 55)
- TRANSLATED_SRC_IP = Translated source IP-address (eg. 81.3.4.1)
Example for new search fields (btw. this is demo generated data not my inside net).
Now, when you are downloaded json file you must to upload it to the Graylog3. Choose System > Content Packs, Content Packs site opens. Click Upload (green box) upper left corner. Choose content pack file and upload.
There is now new content pack called Cisco Meraki Flow, now click Install. After this you have new input and dashboard.
Go to the input site System > Inputs. There is input called MERAKI_LOGS_FLOWS. Input listens RAW/plaintext udp port 5558 (there is some problems in standard Syslog udp). If input is not started, you must start it.
Now open Meraki dashboard and choose correct network.
Find part called reporting.
Add your Graylog-server IP-address, port 5558 and choose Flows role. Click save after this. Now your should see traffic in your graylog input.
Click System > Inputs find MERAKI_LOGS_FLOWS and choose Show Received Messages.
There is also new dashboard called “Meraki MX Flow Records”. Go Dashboards > Meraki MX Flows Records.
Hello,
thanks for this, really helpfull
Nevertheless, I don’t have fields you describre upwards.
I get back last version of Cisco_Meraki_Flow_Content_Pack.json in the same GitHub
I run Graylog 3.1.3+cda805f
Do you have any ideas of why ?
Hi,
I need to update to 3.1.3 and check what seems to be wrong.
Br,
Ville
Thank you. This was helpful.
You welcome.
/Ville
Have you had a chance to try this out with Graylog4? I have the content pack installed on a machine running Graylog 4.0.1+6a0cc0b. The inputs are showing valid messages received, but the Dashboard does not update with any values and looks like the server is not receiving Meraki MX syslog messages.
Hi,
Probably you need to edit source where dashboard collects the data.
Br,
Ville
Has anyone managed to get this working with Graylog 4.0.x ? I have it installed, but the Dashboard isn’t updating.
Hi,
Probably you need to edit source where dashboard collects the data.
Br,
Ville
Where do I go to update/edit the source on where the dashboard collects the data?
be interested to see how this works with latest graylog also.
what about supporting switch logs and AP logs?