Cisco meraki
Meraki (MR, MS, MX)¶
Key facts¶
- In most cases, Cisco Meraki logs are general and require vendor product by source configuration.
- For distinctive log messages, filters are based on the appliance name and program value.
Distinctive log messages¶
See samples in the vendor documentation.
The two conjuncted conditions are required:
-
Program:
(events|urls|firewall|cellular_firewall|vpn_firewall|ids-alerts|flows) -
Appliance name:
| Sourcetype | Distinct element |
|---|---|
| meraki:accesspoints | host('MR' type(string) flags(ignore-case,prefix)) |
| meraki:securityappliances | host('MX' type(string) flags(ignore-case,prefix)) |
| meraki:switches | host('MS' type(string) flags(ignore-case,prefix)) |
Links¶
Sourcetypes¶
| sourcetype | notes |
|---|---|
| meraki:accesspoints | MR |
| meraki:securityappliances | MX |
| meraki:switches | MS |
| meraki | vendor product by source configuration |
Sourcetype and Index Configuration¶
| key | sourcetype | index | notes |
|---|---|---|---|
| cisco_meraki_accesspoints | meraki:accesspoints | netfw | Filtered on the message format |
| cisco_meraki_securityappliances | meraki:securityappliances | netfw | Filtered on the message format |
| cisco_meraki_switches | meraki:switches | netfw | Filtered on the message format |
| cisco_meraki | meraki | netfw | Filtered on vendor product by source configuration |
Parser Configuration¶
#/opt/sc4s/local/config/app-parsers/app-vps-cisco_meraki.conf
#File name provided is a suggestion it must be globally unique
application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^testcm-")
};
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};