Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-meraki
MD5 checksum (ta-meraki_106.tgz) c85f1c7c67ec2b923cc1db30b4179f02 MD5 checksum (ta-meraki_105.tgz) 5038cf0f3be467c8f37cd2de41cd72a0 MD5 checksum (ta-meraki_104.tgz) ce5e47622261cbca343556c76253b16c MD5 checksum (ta-meraki_103.tgz) fc742e7071a60ad5b1a9afc74cc50786 MD5 checksum (ta-meraki_102.tgz) 93687853b1797fb99b892236357da3c7 MD5 checksum (ta-meraki_101.tgz) 36f2e277fda256f4c57279e6af9d9a97
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA-meraki

Splunk Certified
Overview
Details
This is a set of technology adapters for splunk to extract Cisco Meraki logs via syslog. Meraki sends a bunch of different log formats; some logs more complete than others. Majority of all logs extracted are CIM compliant and deposited into the Splunk Common Information Model.

Provides records following the below listed CIM models:
meraki-ids-alerts (ids,attack); meraki-flows (network,communicate), meraki-urls (web,proxy), meraki-dhcp (network,session,dhcp)

This is a technology adapter that enables front end applications to view meraki data via the common information model. If the front end is written to CIM standards your meraki data will automatically appear in that app. Examples include Splunk Enterprise Security (and likely others).

This TA-app assumes the following:
Cisco Meraki logs will all have sourcetype meraki

This app provides the following common information models:
[eventtype=meraki-ids-alerts]
ids = enabled
attack = enabled
[eventtype=meraki-flows]
network = enabled
communicate = enabled
[eventtype=meraki-urls]
web = enabled
proxy = enabled
[eventtype=meraki-dhcp]
network = enabled
session = enabled
dhcp = enabled

Due to difficulty in sometimes identifying the various services meraki provides; I recommend opening up a separate port on your syslog server with a filter as listed below; or adding a new UDP high address port on a heavy forwarder, or if you only had one indexer that box and then configuring that box as a syslog server with the UDP high address port chosen.

inputs.conf

[default]
host_segment = 4

[monitor:///logpartition/2017/meraki/]
SHOULD_LINEMERGE=false
sourcetype = meraki
index=meraki

[monitor:///logpartition/2017/meraki/]
SHOULD_LINEMERGE=false
sourcetype = meraki
index=meraki

Sample config for syslog-ng

port to process meraki

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/$YEAR/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Release Notes

Version 1.0.6
March 10, 2017

changed category field to a multi-field in order to pick up multiple category websites

Version 1.0.5
Jan. 31, 2017

bugfix for AP, flows were reported at the end of the log line unlike the other devices. Removed to blank space check at the end of [meraki_dest_port2]

Version 1.0.4
Jan. 27, 2017

cleanup on DHCP portion to make it easier to read
cleanup on signature_id to become more useful (applied signature_id to dhcp entries based on Microsoft DHCP error ids)
applied coalesce to a few different variables that were being reported by different regex's (signature_id,meraki_action,meraki_priority)

Version 1.0.3
Jan. 26, 2017

bugfix report of different logformat for flows on MX access point. Added new extractions for flows on AP.
bugfix regarding if you search for a signature created in the dhcp portion it was being overwritten by #FIELDALIAS-signature = category AS signature from the web portion; changed to a coalesce so now you can do a regular search on both without searching the model

Version 1.0.2
Jan. 24, 2017

bugfix: thank you jgrayccm; https://answers.splunk.com/answers/492167/typo-in-tagsconf.html

Version 1.0.1
Oct. 5, 2016

added meraki_dhcp_lease_release extraction
added meraki_events_ad extraction, basic identification for Active Directory activity
added meraki_date_clipper, if added to indexer or heavy forwarder this removes unix timestamp date and saves about 19 bytes of data per log file (normal syslog timestamp still exists) (optional), if the file format changes this will have no effect

181
Installs
1,572
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.