Cisco Meraki

The Cisco Meraki device includes wireless switches, security, EMM (enterprise mobility management), communications, and security cameras, all centrally managed from the web. Cisco Meraki can produce DHCP, Firewall, VPN, and Web Proxy logs. All of these log types are supported in InsightIDR.

Cisco Meraki logs can be collected using syslog or Cisco Meraki Cloud API.

Before you begin

There are different requirements depending on the collection method you use to send Cisco Meraki events to InsightIDR. You must ensure the related requirements are met before beginning set up.

Syslog collection method requirements

Cisco Meraki products support the standard RFC 5424 syslog implementation, meaning that syslog messages will be sent unencrypted.

You can configure Cisco Meraki to store syslog messages on a server by following the directions at: https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration.

Cisco Meraki Cloud API collection method requirements

To use the Cisco Meraki Cloud API, you need to enable access. After enabling access you will need to generate an API key to provide to InsightIDR when setting up the event source. Instructions for obtaining your API key can be found at: https://developer.cisco.com/meraki/api-latest/#!authorization/obtaining-your-meraki-api-key

You will also need to take note of your Meraki Organization ID and provide it to InsightIDR during the set up process. This can be found in the Meraki UI in the footer of every page.

Set up Cisco Meraki in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Firewall icon. The Add Event Source panel appears.
  4. Choose your collector and event source.
  5. (Optional) Name your event source.
  6. (Optional) Choose to send unfiltered logs.
  7. Choose the time zone that matches the location of your event source logs.
  8. Select an attribution source.
  9. Select a collection method.
    • If choosing the Listen on Network Port collection method, specify a port and a protocol.
      • (Optional) Choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
    • If choosing the Cloud API collection method:
      • Create a new credential. Enter a name for the credential in the Name field, and the Cisco Meraki API key you have previously generated in the API Key field.
      • Enter your Cisco Meraki Organization ID in the Organization ID field.
  10. Click Save.

Attribution source options

Cisco Meraki product logs can contain information about hosts and accounts. When setting up Cisco Meraki as an event source, you will have the ability to specify the following attribution options:

Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If the attribution engine is unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On your new Cisco Meraki event source, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable log sets and the log names within them. The log name will be the event source name or Cisco Meraki if you did not name the event source. Cisco Meraki logs flow into the Firewall, host-to-ip, Web Proxy, and IDS log sets.

Logs take a minimum of 7 minutes to appear in Log Search

If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Troubleshoot common issues

This section covers some common troubleshooting scenarios.

Problems parsing

If you are experiencing issues with Cisco Meraki parsing, ensure timestamps are switched on. The Rapid7 parser will not work unless timestamps are on.

Problems with log configuration

If you are experiencing issues with log configuration, ensure:

  • The logging timestamp is switched on.
  • The logging host has been configured for the InsightIDR Collector.

Make sure to set the logging level on the device to Severity 6 (Informational Messages). Use this guide for instructions: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#wp1082848.