Skip to main content

AQUILA - Cisco Meraki Integration

Cisco Meraki provides a centralized cloud management platform for devices like MX Security Appliances, MR Access Points, and more. Its cloud-based architecture enables secure, scalable networks manageable from anywhere via the Meraki Dashboard or Mobile App. Each Meraki network generates events that can be collected and analyzed.

Integration Overview

This integration supports event collection through:

  • Syslog messages from Meraki devices

  • API Reporting Webhooks via the Meraki cloud

Compatibility

  • Supports event collection from MX Security Appliances and MR Access Points via syslog.

  • MS Switch events are not supported and will not be recognized.

Cisco Meraki Dashboard Configuration

Syslog Setup:

Configure1. oneIdentify orSyslog-ng moreIP syslog servers and specify Meraki message types to send to those servers. For details, refer to the Syslog Server Overview and Configuration guide.Address

APIAccess Endpointthe log collector virtual machine and open a terminal. Run the following command to determine the IP address of the syslog-ng server:

ifconfig -a


Please take note of the IP address, as this will be referenced during the configuration.

2. Install Syslog-ng

Install syslog-ng along with its required dependencies using the following command:

sudo apt-get install syslog-ng

3. Configure Syslog-ng

Edit the syslog-ng configuration file:

sudo nano /etc/syslog-ng/syslog-ng.conf

Locate the following line:

log { source(s_src); filter(f_crit); destination(d_console); };
Add the configuration below it, ensuring that Server_IP_Address and <MERAKI_IP_ADDRESS> are replaced with the appropriate values:
# Define syslog source
source s_net { udp(ip(Server_IP_Address) port(5140)); };

# Create filter to match traffic (Webhooks):
Configurethis Merakifilter webhookswill catch all syslog messages from the dashboard.MX)
Seefilter f_meraki { host("<MERAKI_IP_ADDRESS>"); };

# Define a destination for syslog messages
destination df_meraki { file("/var/log/cisco_meraki.log"); };

# Bundle the source, filter, and destination rules together
log { source(s_net); filter(f_meraki); destination(df_meraki); };

Webhooks4. DashboardRestart SetupSyslog-ng
After forsaving detailedthe instructions.configuration, restart the syslog-ng service to apply the changes:

sudo /etc/init.d/syslog-ng restart

Configuring the Cisco Meraki Integration

SyslogOnce Collection:the syslog-ng server is configured, please proceed with the following steps in the Cisco Meraki dashboard:

1. Log in to the Cisco Meraki dashboard.

2. Navigate to Network-wide > Configure > General.

3. Click Add a syslog server.

4. Populate the required fields as follows:

  • Server Address: Syslog server IP address
  • Port: 5140
  • Protocol: UDP

Select5. oneUnder orRoles, more of these options based on your syslog server setup:enable:

  • Switch

    CollectEvent syslog via UDPLog

  • Wireless

    CollectAir syslogMarshal via TCPEvents

  • Wireless

    Collect syslog from a fileFlow

  • Enter the appropriate Syslog Host, Port, or File Path based on your selection.

    • Optional: Configuration Verification

    To verify successful log ingestion, access the syslog server and run:

    cd /var/log/
ls

    If the file APIcisco_meraki.log Webhooksis Collection:present, the configuration has been successfully applied and logs are being received.

    Log Rotation Configuration

    To manage log growth and prevent disk space issues, please configure log rotation as follows:
    Create a logrotate configuration file:

      sudo 
    • nano /etc/logrotate.d/meraki

      • Enable Collect events from Cisco Meraki via Webhooks.

    • EnterAdd the following values to configure the webhook listener endpoint:content:

        /var/log/cisco_meraki.log 
      • {
    daily
    missingok
    rotate 1
    compress
    delaycompress
    notifempty
    create 0640 root root
    postrotate
        # Optional commands, such as reloading syslog services
        # /etc/init.d/syslog-ng reload
    endscript
}

        • Listen Address

      • Listen Port

      • Webhook Path

    • The endpoint URL will be:
      https://{AGENT_ADDRESS}:8686/meraki/events

    • Enter the Secret Value matching the “Shared Secret” set in your Meraki webhook configuration.

    • Provide TLS configuration: Meraki requires HTTPS for webhook endpoints, so configure a valid TLS certificate or use a reverse proxy with HTTPS in front of the integration.

    Log Events

    Enable this option to collect Cisco Meraki log events across all applications configured for the selected log stream.

    Logs Dataset

    • The cisco_meraki.log dataset contains events collected from the configured syslog server.

    • All Cisco Meraki specific syslog fields are available under the cisco_meraki.log field group for detailed analysis.

     

    If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance. 

    Back to top