This parser/content pack are used to log Meraki MX security-events.
First download content pack from my github https://github.com/hrleinonen/graylog-meraki
File called “Cisco_Meraki_MX_Appliance_Security.json” is for MX appliance security events. It brings couple new search fields in Graylog3.
New fields are:
- DISPOSITION = Disposition (eg. malicious)
- ACTION = Action (eg. block)
- SHA256 = SHA256 about file (eg. 2546dcffc5ad854d4d…)
- NAME = Malware name (eg. Win.Ransomware.Eicar::95.sbx.tg)
- SRCIP = Source IP-address (eg. 10.10.101.101)
- SRCPORT = Source port (eg. 23434)
- DSTIP = Destination IP-address (eg. 193.166.3.7)
- DSTPORT = Destination port (eg. 443)
Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167
Now open Meraki dashboard and choose correct network.
Find part called reporting.
Add your Graylog-server IP-address, port 5556 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.
Hey thanks so much for your work creating the Meraki Content Packs for Graylog. I have just installed them into our Graylog 3.1 environment after adding a Meraki MX firewall.
They seem to work well, except the Meraki Security Events extractor. Perhaps Meraki format has changed. I updated the extractor in our config to look like this, and it started parsing fields.
src=%{IPV4incPORT:SRCIP} dst=%{IPV4incPORT:DSTIP} mac=%{MAC:MAC} protocol=%{DATA:PROTOCOL} sport=%{POSINT:SRCPORT} dport=%{POSINT:DSTPORT} pattern: %{GREEDYDATA:ACTION}