Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...

Hi, after working with the MS support team and their dev's, they determined that Meraki logs don't follow the RFC standard for syslog message. Basically, what is happening is at the first = in the syslog message, Sentinel dropping everything before it and the remainder of the message get captured. The workaround for this was to have rsyslog write the Meraki logs to a file then we have Sentinel ingest the files into a custom log table. You will want to have log rotation setup to ensure that it does not grow infinitely. Here are the config notes I have. To have Sentinel pull the custom log, that is configured in Log Analytics under Advanced settings. Let me know if you have any questions.Configure Log RotateCreate directory:sudo mkdir /var/log/meraki Assign permission on folder:sudo chown syslog /var/log/meraki Create log rotation configuration file: vi /etc/logrotate.d/meraki /var/log/meraki/meraki { rotate 3 missingok create 0640 syslog adm notifempty compress size 100M delaycompress sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate endscript} Configure rsyslog to send meraki logs to file:vi /etc/rsyslog.conf Add the following line at the bottomif ($fromhost-ip=='172.16.15.254') then /var/log/meraki/meraki

We are also working on this, but are running into an issue where some of the logs are getting chopped by the syslog server. It appears to be an issue only with vpn flow traffic on the MX firewall.We have a case open trying to figure it out.

We are seeing the same symptom as well. We currently have a support case open to look into this. If we find the solution, I will update you.

GaryBushey Agreed. The instructions here (https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3rd-party/ba-p/803891) work pretty well. Search that page for 'Meraki'

They will show up under syslog.

Sentinel & Cisco Meraki? | Microsoft Community Hub

GaryBushey
Bronze Contributor
Mar 16, 2020
David Caddick I had to do it for a customer and it worked just fine using the Syslog server.
- mperrotta
  Brass Contributor
  Mar 17, 2020
  We are also working on this, but are running into an issue where some of the logs are getting chopped by the syslog server. It appears to be an issue only with vpn flow traffic on the MX firewall.
  
  We have a case open trying to figure it out.
- Rod_Trent
  Microsoft
  Mar 16, 2020
  GaryBushey Agreed.
  
  The instructions here (https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3rd-party/ba-p/803891) work pretty well. Search that page for 'Meraki'
- Dev_Choudhary
  Brass Contributor
  Mar 27, 2020
  Hi GaryBushey
  can you please confirm the sentinel table in which you are getting Meraki events. It is like custom log or coming under syslog ?
  - mperrotta
    Brass Contributor
    Mar 31, 2020
    They will show up under syslog.

Forum Discussion

Sentinel & Cisco Meraki?

Share

Resources