Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-meraki
MD5 checksum (ta-meraki_105.tgz) 5038cf0f3be467c8f37cd2de41cd72a0 MD5 checksum (ta-meraki_104.tgz) ce5e47622261cbca343556c76253b16c MD5 checksum (ta-meraki_103.tgz) fc742e7071a60ad5b1a9afc74cc50786 MD5 checksum (ta-meraki_102.tgz) 93687853b1797fb99b892236357da3c7 MD5 checksum (ta-meraki_101.tgz) 36f2e277fda256f4c57279e6af9d9a97 MD5 checksum (ta-meraki_100.tgz) 00b38ef55b7521b9defe465b5ecb7846 MD5 checksum (ta-meraki_009.tgz) c32b103594be8acfaea1fcc02a793b32 MD5 checksum (ta-meraki_007.tgz) 9deaef3381c6d5488bd9808684467fdf MD5 checksum (ta-meraki_006.tgz) 168def4375078df1e06a30c2b06db5ce MD5 checksum (ta-meraki_005.tgz) 3ff17b148d310cacf21d6c3b1ca7d780 MD5 checksum (ta-meraki_004.tgz) 56680fa0000dc2f900c6803c11d85287 MD5 checksum (ta-meraki_003.tgz) 07330f766173d16193337663ce5ddef0 MD5 checksum (ta-meraki_002.tgz) f962adc4f65bb8c7e4e7e47027b5ff58
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA-meraki

Splunk Certified
Overview
Details
This is a set of technology adapters for splunk to extract Cisco Meraki logs via syslog. Meraki sends a bunch of different log formats; some logs more complete than others. Majority of all logs extracted are CIM compliant and deposited into the Splunk Common Information Model.

Provides records following the below listed CIM models:
meraki-ids-alerts (ids,attack); meraki-flows (network,communicate), meraki-urls (web,proxy), meraki-dhcp (network,session,dhcp)

This TA-app assumes the following:

Cisco Meraki logs will all have sourcetype meraki

This is a technology adapter that enables front end applications to view meraki data via the common information model. If the front end is written to CIM standards your meraki data will automatically appear in that app. Examples include Splunk Enterprise Security (and likely others).

This app provides the following common information models:
[eventtype=meraki-ids-alerts]
ids = enabled
attack = enabled
[eventtype=meraki-flows]
network = enabled
communicate = enabled
[eventtype=meraki-urls]
web = enabled
proxy = enabled
[eventtype=meraki-dhcp]
network = enabled
session = enabled
dhcp = enabled

Due to difficulty in sometimes identifying the various services meraki provides; I recommend opening up a separate port on your syslog server with a filter as listed below; or adding a new UDP high address port on a heavy forwarder, or if you only had one indexer that box and then configuring that box as a syslog server with the UDP high address port chosen.

inputs.conf

[default]
host_segment = 4
[monitor:///logpartition/logs/meraki/*/2016/...]
SHOULD_LINEMERGE=false
sourcetype = meraki
index=meraki

[monitor:///logpartition/logs/meraki/*/2017/...]
SHOULD_LINEMERGE=false
sourcetype = meraki
index=meraki

Sample config for syslog-ng

port to process meraki

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/logs/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Release Notes

Version: 1.0.5

bugfix for AP, flows were reported at the end of the log line unlike the other devices. Removed to blank space check at the end of [meraki_dest_port2]

Jan. 31, 2017, 7:07 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 1.0.4

cleanup on DHCP portion to make it easier to read
cleanup on signature_id to become more useful (applied signature_id to dhcp entries based on Microsoft DHCP error ids)
applied coalesce to a few different variables that were being reported by different regex's (signature_id,meraki_action,meraki_priority)

Jan. 27, 2017, 1:22 a.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 1.0.3

bugfix report of different logformat for flows on MX access point. Added new extractions for flows on AP.
bugfix regarding if you search for a signature created in the dhcp portion it was being overwritten by #FIELDALIAS-signature = category AS signature from the web portion; changed to a coalesce so now you can do a regular search on both without searching the model

Jan. 26, 2017, 10:07 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 1.0.2

bugfix: thank you jgrayccm; https://answers.splunk.com/answers/492167/typo-in-tagsconf.html

Jan. 24, 2017, 7:33 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 1.0.1

added meraki_dhcp_lease_release extraction
added meraki_events_ad extraction, basic identification for Active Directory activity
added meraki_date_clipper, if added to indexer or heavy forwarder this removes unix timestamp date and saves about 19 bytes of data per log file (normal syslog timestamp still exists) (optional), if the file format changes this will have no effect

Oct. 5, 2016, 4:24 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 1.0.0

No change except:
Version number to 1.0.0 for splunk certification of stable app
removed targeted index for eventtype search.

Sept. 30, 2016, 5:37 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 0.0.9

Minor update
cleanup for app certification status

Sept. 28, 2016, 11:46 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 0.0.7

Minor update
changed default app status to disabled for app certification status
modified documentation/icons and contact information for app certification process
This version will be submitted to application certification, app has been around for a while and I believe all/most major/minor bugs have been squashed

Sept. 28, 2016, 8:59 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 0.0.6

Minor update
added extraction for port status change (will eventually be added to CIM change analysis)
added extraction for authentication log under events-authentication
TODO: deal with more unparsed event types (i.e. vrrp); feel free to submit log samples
TODO: still deal with block messages regarding CIM compliance

Sept. 28, 2016, 6:25 p.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 0.0.5

Added DHCP CIM compliance (via meraki_app="events-dhcp")
moved status codes/rule messages to a lookup app so it will be more forward compatible in the future
moved web blocks to a new meraki_app called events-content_filtering_block, unfortunately with no source IP address I can't add it into the CIM. Maybe put the device as the src IP?
TODO: deal with more unparsed event types (i.e. vrrp); feel free to submit log samples
fixed minor bugs

Sept. 27, 2016, 3:31 a.m.

Platform Independent

6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 0.0.4

Added Web CIM compliance
todo: still deal with block messages regarding CIM compliance

March 17, 2016, 7:53 p.m.

Platform Independent

6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 0.0.3

Updated CIM compatibility
Added ICMP Code Type resolution
Split Meraki into 2 sub event types instead of having them all as one
(IDS, and Network Traffic) for CIM compliance
Fixed a bug with splunk 6.3.2 regarding concat of fields; moved to running 2 extractions instead of one. Previously fieldname:$1$2 which no longer works
Fixed a typo in signature and signature-id
added a couple of fields to start on the progress of adding web CIM support to Meraki

TODO: Web CIM compliance (and more)

March 16, 2016, 10:23 p.m.

Platform Independent

6.4, 6.3, 6.2, 6.1, 6.0, 5.0

Version: 0.0.2

0.0.2

These are a set of Meraki extractions that are partially CIM compliant. These were developed from me seeing the events on my own system.

TA-meraki should be installed index side and search side.

These are likely NOT complete; but currently everything on my system is detected. Please feel free to submit logs or things that don't work
and I'll fix them.

Jan. 21, 2016, 7:24 p.m.

Platform Independent

6.3, 6.2, 6.1, 6.0, 5.0

139
Installs
1,069
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
1.0.4
Category
IT Operations
Product Support
Splunk Enterprise
Splunk Cloud
Content Type
Add-on
Splunk Versions
6.5
6.4
6.3
6.2
6.1
6.0
5.0
CIM Versions
CIM 4.6, 4.5, 4.4, 4.3, 4.2, 4.1, 4.0, 3.0
Licensing
End User License Agreement for Third-Party Content
Platforms
Platform Independent
Built by
Myron Davis
Contact Developer
Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.