Posted on by Ville Leinonen

Cisco Meraki MX and Graylog3 Part 3

This parser/content pack are used to log Meraki MX URL-events.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_URLs.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • AGENT = Browser agent (eg. Mozilla Firefox)
  • REQUEST = Http request (eg. POST)
  • SRCIP = Source IP-address (eg. 10.10.101.101)
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg. 193.166.3.7)
  • DSTPORT = Destination port (eg. 443)
Map based on destination IP-addresses.
Example fields.

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5555 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress