Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-meraki
SHA256 checksum (ta-meraki_107.tgz) 177116e0a50b01c9b8adefc592a19654e15cce6164e6c5e8cbd3ccc55b6518eb SHA256 checksum (ta-meraki_106.tgz) 33e16370a716d57925e3e272fa0b72ac05a1178961856c2e47f5239d0e5e4be4 SHA256 checksum (ta-meraki_105.tgz) 21b292f7c258c9496587f5a72be4c5dc30a4156baf0f13d56abedff15120d3ea SHA256 checksum (ta-meraki_104.tgz) 2e4a25e3f6fd092a5aaa991ef2d8ce0d859a8dac70387e8a22ccc79a9909a83d SHA256 checksum (ta-meraki_103.tgz) bdad01ced3904e387875cb742613530565782b55e4a3fd2f1a601af4ffe9b87c SHA256 checksum (ta-meraki_102.tgz) f4f27412a6465537f1119997eba3537a87696ab3b2899c01ed4d32da32866b82 SHA256 checksum (ta-meraki_101.tgz) b0136c2924d1192ae033158d14743c4a27435a8c49ec3a0661f0b31166fc4061 SHA256 checksum (ta-meraki_100.tgz) 8e9c31e3508c8d2354378bc10f32ab42242f5d6d2c35c2c43d6f179ce38a5dea SHA256 checksum (ta-meraki_009.tgz) 1c82f811e42aaf1f4ad061597fdb588b834fa4ad1945acc696f86b4d20bd0b12 SHA256 checksum (ta-meraki_007.tgz) a1ce66abc57575485a02844299f7b7d48fdd5f6d28cd65aeb6b7bc0b7648808f SHA256 checksum (ta-meraki_006.tgz) c9513c1df474b634a0c3001a6c8971f9f864d214419a04869a936539a631f01f SHA256 checksum (ta-meraki_005.tgz) c09b52953f5d98aebcfe5c5c1b37b5ffb00908942f4104033416a5ef5891ae6f SHA256 checksum (ta-meraki_004.tgz) e30f645b49326d41be64a951e69d3b449f6f47442420284c8341288725a397bb SHA256 checksum (ta-meraki_003.tgz) cee5273acd2ac0ee323eccf4c0cb3557ae782dde02f800c675e3b090666313f1 SHA256 checksum (ta-meraki_002.tgz) 9315b137cff1bda0b1a2860317c0f88d9f7f6ff2f97682151ce57cb3da95cdaf
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA-meraki

Splunk AppInspect Passed
Overview
Details
This is a set of technology adapters for splunk to extract Cisco Meraki logs via syslog. Meraki sends a bunch of different log formats; some logs more complete than others. Majority of all logs extracted are CIM compliant and deposited into the Splunk Common Information Model.

Provides records following the below listed CIM models:
meraki-ids-alerts (ids,attack); meraki-flows (network,communicate), meraki-urls (web,proxy), meraki-dhcp (network,session,dhcp)

This is a technology adapter that enables front end applications to view meraki data via the common information model. If the front end is written to CIM standards your meraki data will automatically appear in that app. Examples include Splunk Enterprise Security (and likely others).

This TA-app assumes the following:
Cisco Meraki logs will all have sourcetype meraki

This app provides the following common information models:
[eventtype=meraki-ids-alerts]
ids = enabled
attack = enabled
[eventtype=meraki-flows]
network = enabled
communicate = enabled
[eventtype=meraki-urls]
web = enabled
proxy = enabled
[eventtype=meraki-dhcp]
network = enabled
session = enabled
dhcp = enabled

Due to difficulty in sometimes identifying the various services meraki provides; I recommend opening up a separate port on your syslog server with a filter as listed below; or adding a new UDP high address port on a heavy forwarder, or if you only had one indexer that box and then configuring that box as a syslog server with the UDP high address port chosen.

inputs.conf

[default]
host_segment = 4

[monitor:///logpartition/2017/meraki/]
sourcetype = meraki
index=meraki

[monitor:///logpartition/2017/meraki/]
sourcetype = meraki
index=meraki

Sample config for syslog-ng

port to process meraki

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
};
filter f_meraki { facility(local0) };
log {
source(s_ext_udp_15146);
filter(f_meraki);
destination(d_meraki);
};
destination d_meraki {
file("/logpartition/$YEAR/meraki/$HOST/$YEAR/$MONTH/$DAY/meraki-$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));
};

Release Notes

Version 1.0.7
Aug. 31, 2017

Re-Released under Creative Commons Attribution-ShareAlike 3.0 Unported. (source of support changed https://github.com/AlaskaSSO/TA-meraki). Some cleanup. New logo.

Version 1.0.6
March 10, 2017

changed category field to a multi-field in order to pick up multiple category websites

Version 1.0.5
Jan. 31, 2017

bugfix for AP, flows were reported at the end of the log line unlike the other devices. Removed to blank space check at the end of [meraki_dest_port2]

Version 1.0.4
Jan. 27, 2017

cleanup on DHCP portion to make it easier to read
cleanup on signature_id to become more useful (applied signature_id to dhcp entries based on Microsoft DHCP error ids)
applied coalesce to a few different variables that were being reported by different regex's (signature_id,meraki_action,meraki_priority)

Version 1.0.3
Jan. 26, 2017

bugfix report of different logformat for flows on MX access point. Added new extractions for flows on AP.
bugfix regarding if you search for a signature created in the dhcp portion it was being overwritten by #FIELDALIAS-signature = category AS signature from the web portion; changed to a coalesce so now you can do a regular search on both without searching the model

Version 1.0.2
Jan. 24, 2017

bugfix: thank you jgrayccm; https://answers.splunk.com/answers/492167/typo-in-tagsconf.html

Version 1.0.1
Oct. 5, 2016

added meraki_dhcp_lease_release extraction
added meraki_events_ad extraction, basic identification for Active Directory activity
added meraki_date_clipper, if added to indexer or heavy forwarder this removes unix timestamp date and saves about 19 bytes of data per log file (normal syslog timestamp still exists) (optional), if the file format changes this will have no effect

Version 1.0.0
Sept. 30, 2016

No change except:
Version number to 1.0.0 for splunk certification of stable app
removed targeted index for eventtype search.

Version 0.0.9
Sept. 28, 2016

Minor update
cleanup for app certification status

Version 0.0.7
Sept. 28, 2016

Minor update
changed default app status to disabled for app certification status
modified documentation/icons and contact information for app certification process
This version will be submitted to application certification, app has been around for a while and I believe all/most major/minor bugs have been squashed

Version 0.0.6
Sept. 28, 2016

Minor update
added extraction for port status change (will eventually be added to CIM change analysis)
added extraction for authentication log under events-authentication
TODO: deal with more unparsed event types (i.e. vrrp); feel free to submit log samples
TODO: still deal with block messages regarding CIM compliance

Version 0.0.5
Sept. 27, 2016

Added DHCP CIM compliance (via meraki_app="events-dhcp")
moved status codes/rule messages to a lookup app so it will be more forward compatible in the future
moved web blocks to a new meraki_app called events-content_filtering_block, unfortunately with no source IP address I can't add it into the CIM. Maybe put the device as the src IP?
TODO: deal with more unparsed event types (i.e. vrrp); feel free to submit log samples
fixed minor bugs

Version 0.0.4
March 17, 2016

Added Web CIM compliance
todo: still deal with block messages regarding CIM compliance

Version 0.0.3
March 16, 2016

Updated CIM compatibility
Added ICMP Code Type resolution
Split Meraki into 2 sub event types instead of having them all as one
(IDS, and Network Traffic) for CIM compliance
Fixed a bug with splunk 6.3.2 regarding concat of fields; moved to running 2 extractions instead of one. Previously fieldname:$1$2 which no longer works
Fixed a typo in signature and signature-id
added a couple of fields to start on the progress of adding web CIM support to Meraki

TODO: Web CIM compliance (and more)

Version 0.0.2
Jan. 21, 2016

0.0.2

These are a set of Meraki extractions that are partially CIM compliant. These were developed from me seeing the events on my own system.

TA-meraki should be installed index side and search side.

These are likely NOT complete; but currently everything on my system is detected. Please feel free to submit logs or things that don't work
and I'll fix them.

514
Installs
2,964
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.