Cisco meraki
Meraki (MR, MS, MX)¶
Key facts¶
- Cisco Meraki messages are not distinctive, which means that it’s impossible to parse the sourcetype based on the log message.
- Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices.
- Splunk Add-on for Cisco Meraki 2.1.0 doesn’t support syslog. Use TA-meraki instead.
TA-meraki 1.1.5
requires sourcetypemeraki
.
Links¶
Ref | Link |
---|---|
Splunk Add-on | https://splunkbase.splunk.com/app/3018 |
Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration |
Sourcetypes¶
sourcetype | notes |
---|---|
meraki:accesspoints | Not compliant with the Splunk Add-on |
meraki:securityappliances | Not compliant with the Splunk Add-on |
meraki:switches | Not compliant with the Splunk Add-on |
meraki | For all Meraki devices. Compliant with the Splunk Add-on |
Index Configuration¶
key | sourcetype | index | notes |
---|---|---|---|
meraki_accesspoints | meraki:accesspoints | netfw | |
meraki_securityappliances | meraki:securityappliances | netfw | |
meraki_switches | meraki:switches | netfw | |
cisco_meraki | meraki | netfw |
Parser Configuration¶
-
Either by defining Cisco Meraki hosts:
#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf #File name provided is a suggestion it must be globally unique block parser app-vps-test-cisco_meraki() { channel { if { filter { host("^test-mx-") }; parser { p_set_netsource_fields( vendor('meraki') product('securityappliances') ); }; } elif { filter { host("^test-mr-") }; parser { p_set_netsource_fields( vendor('meraki') product('accesspoints') ); }; } elif { filter { host("^test-ms-") }; parser { p_set_netsource_fields( vendor('meraki') product('switches') ); }; } else { parser { p_set_netsource_fields( vendor('cisco') product('meraki') ); }; }; }; }; application app-vps-test-cisco_meraki[sc4s-vps] { filter { host("^test-meraki-") or host("^test-mx-") or host("^test-mr-") or host("^test-ms-") }; parser { app-vps-test-cisco_meraki(); }; };
-
Or by a unique port:
# /opt/sc4s/env_file SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004 SC4S_LISTEN_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005 SC4S_LISTEN_MERAKI_ACCESSPOINTS_UDP_PORT=5006 SC4S_LISTEN_MERAKI_SWITCHES_UDP_PORT=5007