From 6d323f10afbee5259aed4893b8db83a8c90cddee Mon Sep 17 00:00:00 2001 From: cg Date: Fri, 1 Aug 2025 18:21:53 +0000 Subject: [PATCH] Updated doc --- .../Cisco Meraki Content Pack.html | 120 ++++++++++++------ 1 file changed, 83 insertions(+), 37 deletions(-) diff --git a/Content/Content Packs/Cisco Meraki Content Pack.html b/Content/Content Packs/Cisco Meraki Content Pack.html index 038e9cc0..a20a0fa4 100644 --- a/Content/Content Packs/Cisco Meraki Content Pack.html +++ b/Content/Content Packs/Cisco Meraki Content Pack.html @@ -1,57 +1,103 @@  - + - - - Cisco Meraki Content Pack - - + Cisco Meraki Content Pack +

Cisco Meraki is a hardware vendor and sells cloud-controlled security appliances (firewall), switches, and access points via a centralized managed platform. This technology pack will process Cisco Meraki logs, providing normalization and enrichment of common events of interest.

-

Supported Version(s)

+

Supported Version(s)

-

Supported Log MR Types

+

Supported Log MR Types

association, disassociation, wpa_auth, wpa_deauth, flows, 8021x_eap_failure, 8021x_deauth, 8021x_auth, 8021x_eap_success, splash_auth, mac_spoofing, multiple_servers, and device_packet_flood

-

Stream Configuration

-

This technology pack includes one stream:

+

Requirements

-

If this stream is already created then nothing will be changed. This stream will be created if it does not exist, and it will be configured to route messages to the Cisco Devices index set. There should not be any rules configured for this stream.

-

Index Set Configuration

-

This technology pack includes one index set definition:

+

Stream Configuration

+

This technology pack includes 1 stream:

-

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

-

Log Format Examples

-

1 1619032507.590967163 ip_flow_end src=1.1.1.1 dst=2.2.2.2 protocol=icmp translated_dst_ip=4.4.4.4 +

+

+
Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream. +
+

-

1 1619032507.495518695 DEVICE_NAME flows src=1.1.1.1 dst=2.2.2.2 protocol=udp sport=1900 dport=1900 pattern: 1 all -

-

Requirements

+

Index Set Configuration

+

This technology pack includes 1 index set definition:

-
-
Meraki Syslog and Nanosecond Timestamps -
-
-

Cisco Meraki devices are sometimes configured to send epoch timestamps with nanoseconds; the Graylog syslog input cannot parse these messages and will drop them. If your device is configured to send nanosecond timestamps please configure a Raw/Plaintext UDP input for Graylog and configure the Meraki to send logs to the raw input. This input must be configured to use a different port than any other existing UDP input. The parsing of epoch timestamps will be addressed in a future version of Graylog.

-
-
-

What is Provided

+

+

+
Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation. +
+
+

+

Log Format Examples

+

1 1619032507.590967163 ip_flow_end src=1.1.1.1 dst=2.2.2.2 protocol=icmp translated_dst_ip=4.4.4.4 +

+

1 1619032507.495518695 DEVICE_NAME flows src=1.1.1.1 dst=2.2.2.2 protocol=udp sport=1900 dport=1900 pattern: 1 all +

+

What is Provided

+

GIM Categorization

+

GIM categorization is provided for the following messages:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
vendor_event_typegim_event_type_code
ip_flow_start129999
ip_flow_end129999
flows129999
ids_alerted300000
urls180100
authentication109999
security_filtering_file_scanned300000
\ No newline at end of file