Posted on by Ville Leinonen

Cisco Meraki MX and Graylog3 Part 2

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_Events.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • EVENT_TYPE = Event type (eg. IDS, content_filtering_block or dhcp)
  • SPI = Security Parameter Index  (eg. 53afbb30231007)
  • URL_CATEGORY = Category where blocked site belongs (eg. Malware)
Top 10 values for event type.
Top 5 blocked URL categories

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5557 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress