Forum Discussion
Sentinel & Cisco Meraki?
David Caddick I had to do it for a customer and it worked just fine using the Syslog server.
Hi GaryBushey
can you please confirm the sentinel table in which you are getting Meraki events. It is like custom log or coming under syslog ?
- They will show up under syslog.
Hi mperrotta
Thanks for your reply. I did the same and event getting under syslog are not complete, they are truncating the events(by : in Rawdata).
Refer below details
Actual logs 1:
Mar 27 14:00:38 1.1.1.1 987654321.123456789 MerakiXXYY urls src=yy.yy.yy.yy:40206 dst=xxx.xxx.x.xx:443 mac=AA:AA:AA:BB:BB:BB request: UNKNOWN https://aaa.vbvbvb.com/...SyslogMessage 1:
40206 dst=xxx.xxx.x.xx:443 mac=AA:AA:AA:BB:BB:BB request: UNKNOWN https://aaa.vbvbvb.com/...Actual logs 2:
Mar 27 14:00:56 1.1.1.1 987654321.123456789 MerakiYYXX flows allow src=yy.yy.yy.yy dst=xxx.xxx.x.xx mac=FF:FF:FF:FF:FF:FF protocol=udp sport=60000 dport=1234SyslogMessage 2:
FF:FF:FF:FF:FF protocol=udp sport=60000 dport=1234have you observed same issue if not can you please help the method you followed.
Thanks in advance
- We are also working on this, but are running into an issue where some of the logs are getting chopped by the syslog server. It appears to be an issue only with vpn flow traffic on the MX firewall.
We have a case open trying to figure it out. - Rod_Trent
Microsoft
GaryBushey Agreed.
The instructions here (https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3rd-party/ba-p/803891) work pretty well. Search that page for 'Meraki'
