Cisco Meraki

The Cisco Meraki device includes wireless switches, security, EMM (enterprise mobility management), communications, and security cameras, all centrally managed from the web. Cisco Meraki can produce DHCP, Firewall, VPN, and Web Proxy logs. All of these log types are supported in InsightIDR.

Cisco Meraki logs can be collected using syslog or Cisco Meraki Cloud API.

Before you begin

There are different requirements depending on the collection method you use to send Cisco Meraki events to InsightIDR. You must ensure the related requirements are met before beginning set up.

Syslog collection method requirements

Cisco Meraki products support the standard RFC 5424 syslog implementation, meaning that syslog messages will be sent unencrypted.

You can configure Cisco Meraki to store syslog messages on a server by following the directions at: https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration.

Cisco Meraki Cloud API collection method requirements

To use the Cisco Meraki Cloud API, you need to enable access. After enabling access you will need to generate an API key to provide to InsightIDR when setting up the event source. Instructions for obtaining your API key can be found at: https://developer.cisco.com/meraki/api-latest/#!authorization/obtaining-your-meraki-api-key

You will also need to take note of your Meraki Organization ID and provide it to InsightIDR during the set up process. This can be found in the Meraki UI in the footer of every page.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Cisco Meraki Firewall/VPN in the event sources search bar.
    • In the Product Type filter, select Firewall.
  3. Select the Cisco Meraki Firewall/VPN event source tile.
  4. Choose your collector and event source.
  5. (Optional) Name your event source.
  6. (Optional) Choose to send unfiltered logs.
  7. Choose the time zone that matches the location of your event source logs.
  8. Select an attribution source.
  9. Select a collection method.
    • If choosing the Listen on Network Port collection method, specify a port and a protocol.
      • (Optional) Choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
    • If choosing the Cloud API collection method:
      • Create a new credential. Enter a name for the credential in the Name field, and the Cisco Meraki API key you have previously generated in the API Key field.
      • Enter your Cisco Meraki Organization ID in the Organization ID field.
  10. Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On your new Cisco Meraki event source, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable log sets and the log names within them. The log name will be the event source name or Cisco Meraki if you did not name the event source. Cisco Meraki logs flow into the Firewall, host-to-ip, Web Proxy, and IDS log sets.

Logs take a minimum of 7 minutes to appear in Log Search

If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Troubleshoot common issues

This section covers some common troubleshooting scenarios.

Problems parsing

If you are experiencing issues with Cisco Meraki parsing, ensure timestamps are switched on. The Rapid7 parser will not work unless timestamps are on.

Problems with log configuration

If you are experiencing issues with log configuration, ensure:

  • The logging timestamp is switched on.
  • The logging host has been configured for the InsightIDR Collector.

Make sure to set the logging level on the device to Severity 6 (Informational Messages). Use this guide for instructions: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#wp1082848.