Cisco Meraki MX and Graylog3 Part 4

This parser/content pack are used to log Meraki MX security-events.

First download content pack from my github

File called “Cisco_Meraki_MX_Appliance_Security.json” is for MX appliance security events. It brings couple new search fields in Graylog3.

New fields are:

  • DISPOSITION = Disposition (eg. malicious)
  • ACTION = Action (eg. block)
  • SHA256 = SHA256 about file (eg. 2546dcffc5ad854d4d…)
  • NAME = Malware name (eg.
  • SRCIP = Source IP-address (eg.
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg.
  • DSTPORT = Destination port (eg. 443)

Upload file to Graylog3 using instruction from my blog

Action report example.

Malware name example.

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5556 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

One Reply to “Cisco Meraki MX and Graylog3 Part 4”

  1. Hey thanks so much for your work creating the Meraki Content Packs for Graylog. I have just installed them into our Graylog 3.1 environment after adding a Meraki MX firewall.

    They seem to work well, except the Meraki Security Events extractor. Perhaps Meraki format has changed. I updated the extractor in our config to look like this, and it started parsing fields.

    src=%{IPV4incPORT:SRCIP} dst=%{IPV4incPORT:DSTIP} mac=%{MAC:MAC} protocol=%{DATA:PROTOCOL} sport=%{POSINT:SRCPORT} dport=%{POSINT:DSTPORT} pattern: %{GREEDYDATA:ACTION}

Leave a Reply

Your email address will not be published. Required fields are marked *