Forum Discussion

Iron Contributor

Mar 16, 2020

Sentinel & Cisco Meraki?

Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...

mperrotta

Brass Contributor

Sep 22, 2020

Hi, after working with the MS support team and their dev's, they determined that Meraki logs don't follow the RFC standard for syslog message. Basically, what is happening is at the first = in the syslog message, Sentinel dropping everything before it and the remainder of the message get captured.

The workaround for this was to have rsyslog write the Meraki logs to a file then we have Sentinel ingest the files into a custom log table. You will want to have log rotation setup to ensure that it does not grow infinitely. Here are the config notes I have. To have Sentinel pull the custom log, that is configured in Log Analytics under Advanced settings.

Let me know if you have any questions.

Configure Log Rotate

Create directory:

sudo mkdir /var/log/meraki

Assign permission on folder:

sudo chown syslog /var/log/meraki

Create log rotation configuration file:

vi /etc/logrotate.d/meraki

/var/log/meraki/meraki {

rotate 3

missingok

create 0640 syslog adm

notifempty

compress

size 100M

delaycompress

sharedscripts

postrotate

/usr/lib/rsyslog/rsyslog-rotate

endscript

}

Configure rsyslog to send meraki logs to file:

vi /etc/rsyslog.conf

Add the following line at the bottom

if ($fromhost-ip=='172.16.15.254') then /var/log/meraki/meraki

mhaasEFD

Copper Contributor

Nov 20, 2020

Going to give this a try. I have used Meraki equipment for a long time but have to say the amount of times i find their implementation doesn't use standards is frustrating. Their syslog is not compliant, their client vpn implementation is odd, etc.

tales80
Copper Contributor
Jul 22, 2025
I saw this but this doesn't seem right. The table to query the data isn't CiscoMeraki.
krabelize
Copper Contributor
Nov 05, 2023
UnifiedJD Here is a blog post some Meraki Analytics rules: https://cryptsus.com/blog/cisco-meraki-sentinel-siem.html
UnifiedJD
Copper Contributor
Jun 10, 2021
JKatzmandu good thread, the solution worked well to get the data separated. The only issue here is Sentinel has 0 analytics for Meraki, none of their scheduled/ML/Anomaly analytics will every query that table so I am going to work on getting the data into CommonSecurityLog in hopes it might catch something.
JKatzmandu
Brass Contributor
Jan 08, 2021
mhaasEFD

I use it when we query; so instead of "Cisco_Meraki_CL" as the "table" in my search, it's this function...
mhaasEFD
Copper Contributor
Dec 05, 2020
Are you running this function when you query? or can this be used at collection without having to create individual custom fields?
mhaasEFD
Copper Contributor
Nov 23, 2020
Thanks,
I got syslog up and running already but looking over your info. I did setup a CEF output from my graylog server and found that cleaner but if you don’t need an internal graylog server it’s probably an extra step.
JKatzmandu
Brass Contributor
Nov 23, 2020
mhaasEFD

I've done this Meraki recipe for two customers; it comes in via syslog, syslog puts it into its own file, it's read as a Custom Log by the Log Analytics Agent and is forwarded into Sentinel. Then within Sentinel we have a KQL function to extract the most common stuff. What's frustrating is that Cisco Meraki isn't always the most consistent with the log format.

Here's my GitHub with the extractors, which I have no problem with anyone else using, and if you guys have fixes, I'm happy to incorporate them:

https://github.com/jkatzmandu/sentinel_tricks