NG SIEM - CISCO Meraki Integration
Cisco Meraki provides a centralized cloud management platform for devices like MX Security Appliances, MR Access Points, and more. Its cloud-based architecture enables secure, scalable networks manageable from anywhere via the Meraki Dashboard or Mobile App. Each Meraki network generates events that can be collected and analyzed.
Integration Overview
This integration supports event collection through:
-
Syslog messages from Meraki devices
-
API Reporting Webhooks via the Meraki cloud
Events can be searched, observed, and visualized.
Compatibility
-
Supports event collection from MX Security Appliances and MR Access Points via syslog.
-
MS Switch events are not supported and will not be recognized.
Cisco Meraki Dashboard Configuration
Syslog Setup:
Configure one or more syslog servers and specify Meraki message types to send to those servers. For details, refer to the Syslog Server Overview and Configuration guide.
API Endpoint (Webhooks):
Configure Meraki webhooks from the dashboard. See the Webhooks Dashboard Setup for detailed instructions.
Configuring the Cisco Meraki Integration
Syslog Collection:
-
Select one or more of these options based on your syslog server setup:
-
Collect syslog via UDP
-
Collect syslog via TCP
-
Collect syslog from a file
-
-
Enter the appropriate Syslog Host, Port, or File Path based on your selection.
API Webhooks Collection:
-
Enable Collect events from Cisco Meraki via Webhooks.
-
Enter the following values to configure the webhook listener endpoint:
-
Listen Address
-
Listen Port
-
Webhook Path
-
-
The endpoint URL will be:
https://{AGENT_ADDRESS}:8686/meraki/events -
Enter the Secret Value matching the “Shared Secret” set in your Meraki webhook configuration.
-
Provide TLS configuration: Meraki requires HTTPS for webhook endpoints, so configure a valid TLS certificate or use a reverse proxy with HTTPS in front of the integration.
Log Events
Enable this option to collect Cisco Meraki log events across all applications configured for the selected log stream.
Logs Dataset
-
The
cisco_meraki.logdataset contains events collected from the configured syslog server. -
All Cisco Meraki specific syslog fields are available under the
cisco_meraki.logfield group for detailed analysis.
Possible Issues and Troubleshooting
| Issue | Possible Cause | Elastic-Side Fix | Client-Side Request |
|---|---|---|---|
| No logs ingested at all | No events generated from Meraki devices (low network activity or syslog roles not enabled). | N/A—wait for events or test by querying Azure Log Analytics for any Syslog entries. | Ask them to generate test events (e.g., connect/disconnect a device, access a URL) and confirm in Meraki Dashboard Event Log. Enable relevant syslog roles (e.g., Event Log, Flows) in Network-wide > Configure > General > Reporting. |
| Connectivity failure (Meraki to Azure VM) | Firewall/NSG blocks on UDP 514, incorrect IP/port in Meraki config, or VPN/NAT issues. | If Elastic pulls directly from Azure, verify Azure diagnostic settings export Syslog to Elastic workspace. | Provide tcpdump command on VM: tcpdump -i <interface> port 514 to check incoming packets. Request they update Meraki syslog server to correct VM IP/port. Add inbound UDP 514 rule in Azure NSG and disable ufw on VM (sudo ufw allow 514/udp). For VPN, add allow rules in Meraki Security & SD-WAN > Site-to-site VPN. |
| Syslog daemon not forwarding on Azure VM | Rsyslog/syslog-ng not configured to listen on UDP 514 or forward to AMA (e.g., missing imudp module or template). | N/A—issue is upstream in Azure/Meraki chain. | Request VM access to edit /etc/rsyslog.conf: Uncomment module(load="imudp") and input(type="imudp" port="514"). Add custom conf file for Meraki filtering. Restart rsyslog (sudo systemctl restart rsyslog). Check /var/log/syslog for entries. |
| Facility/severity mismatch in Azure | Meraki uses local0 facility; not enabled in AMA DCR, causing drops. | If logs reach Azure but not Elastic, check Elastic Agent policy for cisco_meraki.log dataset and index patterns (e.g., logs-cisco_meraki.log-*). | In Azure Portal > Monitor > Data Collection Rules: Edit DCR to include local0 facility and severities like info/notice. Associate with workspace/VM. Restart AMA (sudo systemctl restart azuremonitoragent). Query Syslog table: Syslog | where Facility == "local0". |
| Agent issues in Azure | Using deprecated OMS agent, config overwritten, or permissions on log folders. | Verify Elastic integration version (e.g., 1.31.0+) and redeploy agent policy if needed. Check Fleet logs for ingestion errors. | Migrate to AMA if on OMS (deprecated post-Aug 2024). Ensure AMA has read access (sudo chmod -R 755 /var/log). Restart agent and check /var/log/azure/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent/agent.log for errors. |
| Parsing/truncation errors | Meraki logs too long, truncated in forwarding; default Syslog table doesn't parse correctly. | In Elastic, adjust mapping for cisco_meraki.log fields if incomplete. Use grok patterns for custom parsing in ingest pipeline. | Increase rsyslog max message size ($MaxMessageSize 64k) and restart. Use custom log table in Azure for Meraki (e.g., meraki_CL) via file ingestion if Syslog fails. |
| Rate limits or high volume | Exceeding Meraki/Azure limits, dropping logs. | Tune Elastic poll interval (e.g., 5-10 min) and add retries in agent policy. Monitor shard usage. | Check Meraki Dashboard for high event volume; disable voluminous roles like Flows temporarily. Monitor Azure workspace for throttling alerts. |
Note: These issues are based on Azure to Cisco Meraki since we are currently experiencing an issue about these two. "Syslog can't connect to Azure Log Connector"
Sources:
Syslog Server Overview and Configuration - Cisco Meraki Documentation
Cisco Meraki Azure Sentinel data connector won't connect - The Meraki Community
Injecting Cisco Meraki logs to Azure Sentinel - Microsoft Q&A
Microsoft Azure Sentinel Log Analytics- Not Collecting Syslog – Michael Paul | @micoolpaul
Azure Tunnel to Meraki Established however no traffic flow - Microsoft Q&A
Collect Syslog events with Azure Monitor Agent - Azure Monitor | Microsoft Learn
Issues with rsyslog connected to Microsoft Sentinel (previus: Azure Sentine... - The Meraki Community
Re: How can I set up a couple of VMs on Azure? - Splunk Community
If you need further assistance, kindly contact support@cytechint.com for prompt assistance and guidance.