Collect Cisco Meraki logs

Supported in:

This document describes how you can collect Cisco Meraki logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CISCO_MERAKI ingestion label.

Configure Cisco Meraki

  1. Sign in to the Cisco Meraki dashboard.
  2. In the Cisco Meraki dashboard, select Configure > Alerts & administration.
  3. In the Logging section, do the following:
    1. In Server IP field, specify the Google Security Operations forwarder IP address.
    2. In the Port field, specify the port value, such as 514.
    3. In the Roles field, select the four available options to get all the logs or select any combination as per your requirement.
  4. Click Save changes.

Configure Google Security Operations forwarder and syslog to ingest Cisco Meraki logs

  1. From the Google Security Operations menu, select Settings, and then click Forwarders.
  2. Click Add new forwarder.
  3. In the Forwarder name field, type a name.
  4. Click Submit. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, type a name.
  6. Select Cisco Meraki as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following input parameters:
    • Protocol: specify the protocol.
    • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles Cisco Meraki (identified as Cisco/Meraki) logs in either SYSLOG or JSON format, normalizing them into UDM. It uses grok patterns to parse syslog messages and conditional logic based on the eventType field to extract relevant information, handling various event types like network flows, URL requests, firewall events, and generic events, mapping them to appropriate UDM fields and enriching the data with additional context. If the input isn't syslog, it attempts to parse it as JSON and maps the relevant fields to UDM.

UDM Mapping Table

Log Field UDM Mapping Logic
action security_result.action Value is converted to uppercase. If the value is "deny", it's replaced with "BLOCK". If sc_action contains "allow", the value is replaced with "ALLOW". Otherwise, if decision contains "block", the value is replaced with "BLOCK". Otherwise, if authorization is "success", it's set to "ALLOW", and if "failure", it's set to "BLOCK". Otherwise, if pattern is "1 all", "deny all", or "Group Policy Deny", it's set to "BLOCK". If pattern is "allow all", "Group Policy Allow", or "0 all", it's set to "ALLOW". Otherwise, it's set to "UNKNOWN_ACTION". If decision contains "block", it's set to "BLOCK".
adId principal.user.user_display_name Directly mapped from the adId field in JSON logs.
agent network.http.user_agent Apostrophes are removed. Directly mapped from the agent field. Also converted to network.http.parsed_user_agent using the parseduseragent filter.
aid network.session_id Directly mapped from the aid field.
appProtocol network.application_protocol Converted to uppercase. Directly mapped from the appProtocol field.
attr additional.fields Added as a key-value pair to the additional.fields array with the key "attr".
authorization security_result.action_details Directly mapped from the authorization field in JSON logs.
band additional.fields Added as a key-value pair to the additional.fields array with the key "band".
bssids.bssid principal.mac Converted to lowercase. Merged into the principal.mac array.
bssids.detectedBy.device intermediary.asset.asset_id Formatted as "Device id: ".
bssids.detectedBy.rssi intermediary.asset.product_object_id Converted to a string.
Channel about.resource.attribute.labels Added as a key-value pair to the about.resource.attribute.labels array with the key "Channel".
clientDescription additional.fields Added as a key-value pair to the additional.fields array with the key "clientDescription".
clientId additional.fields Added as a key-value pair to the additional.fields array with the key "clientId".
clientIp principal.ip, principal.asset.ip Directly mapped from the clientIp field.
clientMac principal.mac Converted to lowercase. Directly mapped from the clientMac field in JSON logs.
client_ip principal.ip, principal.asset.ip Directly mapped from the client_ip field.
client_mac principal.mac Converted to lowercase. Directly mapped from the client_mac field.
code additional.fields Added as a key-value pair to the additional.fields array with the key "code".
collection_time metadata.event_timestamp The seconds and nanos fields are combined to create a timestamp.
Conditions security_result.about.resource.attribute.labels Carriage returns, newlines, and tabs are replaced with spaces and specific values are substituted. The modified value is added as a key-value pair to the security_result.about.resource.attribute.labels array with the key "Conditions".
decision security_result.action If the value is "blocked", it's set to "BLOCK".
desc metadata.description Directly mapped from the desc field.
description security_result.description Directly mapped from the description field in JSON logs.
DestAddress target.ip, target.asset.ip Directly mapped from the DestAddress field.
DestPort target.port Converted to an integer. Directly mapped from the DestPort field.
deviceIp target.ip Directly mapped from the deviceIp field.
deviceMac target.mac Converted to lowercase. Directly mapped from the deviceMac field.
deviceName target.hostname, target.asset.hostname Directly mapped from the deviceName field in JSON logs.
deviceSerial target.asset.hardware.serial_number Directly mapped from the deviceSerial field in JSON logs.
Direction network.direction Special characters are removed, and the value is mapped to network.direction.
DisabledPrivilegeList target.user.attribute Carriage returns, newlines, and tabs are replaced, and the modified value is parsed as JSON and merged into the target.user.attribute object.
dport target.port Converted to an integer. Directly mapped from the dport field.
dst target.ip, target.asset.ip Directly mapped from the dst field.
dstIp target.ip, target.asset.ip Directly mapped from the dstIp field.
dstPort target.port Converted to an integer. Directly mapped from the dstPort field.
dvc intermediary.hostname Directly mapped from the dvc field.
EnabledPrivilegeList target.user.attribute Carriage returns, newlines, and tabs are replaced, and the modified value is parsed as JSON and merged into the target.user.attribute object.
eventData.aid principal.asset_id Formatted as "ASSET_ID:".
eventData.client_ip principal.ip, principal.asset.ip Directly mapped from the eventData.client_ip field in JSON logs.
eventData.client_mac principal.mac Converted to lowercase. Directly mapped from the eventData.client_mac field in JSON logs.
eventData.group principal.group.group_display_name Directly mapped from the eventData.group field in JSON logs.
eventData.identity principal.hostname Directly mapped from the eventData.identity field in JSON logs.
eventData.ip principal.ip, principal.asset.ip Directly mapped from the eventData.ip field in JSON logs.
EventID metadata.product_event_type, security_result.rule_name Converted to a string. Mapped to metadata.product_event_type. Also used to create security_result.rule_name in the format "EventID: ". Used to determine event_type and sec_action.
eventSummary security_result.summary, metadata.description Directly mapped from the eventSummary field. Also used in security_result.description for some events.
eventType metadata.product_event_type Directly mapped from the eventType field. Used to determine which parsing logic to apply.
filename principal.process.file.full_path Directly mapped from the filename field.
FilterId target.resource.product_object_id Directly mapped from the FilterId field for EventID 5447.
FilterName target.resource.name Directly mapped from the FilterName field for EventID 5447.
FilterRTID security_result.detection_fields Added as a key-value pair to the security_result.detection_fields array with the key "FilterRTID".
firstSeen security_result.detection_fields Converted to a string. Added as a key-value pair to the security_result.detection_fields array with the key "firstSeen".
gatewayDeviceMac target.mac Converted to lowercase. Merged into the target.mac array.
group additional.fields Added as a key-value pair to the additional.fields array with the key "group".
GroupMembership target.user Carriage returns, newlines, tabs, and special characters are removed. The modified value is parsed as JSON and merged into the target.user object.
Hostname principal.hostname, principal.asset.hostname Directly mapped from the Hostname field.
identity target.user.userid Directly mapped from the identity field.
instigator additional.fields Added as a key-value pair to the additional.fields array with the key "instigator".
int_ip intermediary.ip Directly mapped from the int_ip field.
ip_msg principal.resource.attribute.labels Added as a key-value pair to the principal.resource.attribute.labels array with the key "IPs".
is_8021x additional.fields Added as a key-value pair to the additional.fields array with the key "is_8021x".
KeyName target.resource.name Directly mapped from the KeyName field.
KeyFilePath target.file.full_path Directly mapped from the KeyFilePath field.
lastSeen security_result.detection_fields Converted to a string. Added as a key-value pair to the security_result.detection_fields array with the key "lastSeen".
last_known_client_ip principal.ip, principal.asset.ip Directly mapped from the last_known_client_ip field.
LayerName security_result.detection_fields Added as a key-value pair to the security_result.detection_fields array with the key "Layer Name".
LayerRTID security_result.detection_fields Added as a key-value pair to the security_result.detection_fields array with the key "LayerRTID".
localIp principal.ip, principal.asset.ip Directly mapped from the localIp field.
login principal.user.email_addresses Directly mapped from the login field in JSON logs if it matches an email address format.
LogonGuid additional.fields Added as a key-value pair to the additional.fields array with the key "LogonGuid".
LogonType extensions.auth.mechanism Mapped to a specific authentication mechanism based on its value. If PreAuthType is present, it overrides LogonType. Values are mapped as follows: 2 -> USERNAME_PASSWORD, 3 -> NETWORK, 4 -> BATCH, 5 -> SERVICE, 7 -> UNLOCK, 8 -> NETWORK_CLEAR_TEXT, 9 -> NEW_CREDENTIALS, 10 -> REMOTE_INTERACTIVE, 11 -> CACHED_INTERACTIVE, 12 -> CACHED_REMOTE_INTERACTIVE, 13 -> CACHED_UNLOCK, other -> MECHANISM_UNSPECIFIED.
mac principal.mac Converted to lowercase. Merged into the principal.mac array.
MandatoryLabel additional.fields Added as a key-value pair to the additional.fields array with the key "MandatoryLabel".
Message security_result.description, security_result.summary If AccessReason is present, Message is mapped to security_result.summary and AccessReason is mapped to security_result.description. Otherwise, Message is mapped to security_result.description.
method network.http.method Directly mapped from the method field.
msg security_result.description Directly mapped from the msg field.
name principal.user.user_display_name Directly mapped from the name field in JSON logs.
natsrcIp principal.nat_ip Directly mapped from the natsrcIp field.
natsrcport principal.nat_port Converted to an integer. Directly mapped from the natsrcport field.
network_id additional.fields Added as a key-value pair to the additional.fields array with the key "Network ID".
NewProcessId target.process.pid Directly mapped from the NewProcessId field.
NewProcessName target.process.file.full_path Directly mapped from the NewProcessName field.
NewSd target.resource.attribute.labels Added as a key-value pair to the target.resource.attribute.labels array with the key "New Security Descriptor".
occurredAt metadata.event_timestamp Parsed as a timestamp using the ISO8601 format.
ObjectName target.file.full_path, target.registry.registry_key, target.process.file.full_path, additional.fields If EventID is 4663 and ObjectType is "Process", it's mapped to target.process.file.full_path. If ObjectType is "Key", it's mapped to target.registry.registry_key. Otherwise, it's mapped to target.file.full_path. For other events, it's added as a key-value pair to the additional.fields array with the key "ObjectName".
ObjectType additional.fields Added as a key-value pair to the additional.fields array with the key "ObjectType". Used to determine event_type.
OldSd target.resource.attribute.labels Added as a key-value pair to the target.resource.attribute.labels array with the key "Original Security Descriptor".
organizationId principal.resource.id Directly mapped from the organizationId field in JSON logs.
ParentProcessName target.process.parent_process.file.full_path Directly mapped from the ParentProcessName field.
pattern security_result.description Directly mapped to security_result.description. Used to determine security_result.action.
peer_ident target.user.userid Directly mapped from the peer_ident field.
PreAuthType extensions.auth.mechanism Used to determine the authentication mechanism if present. Overrides LogonType.
principalIp principal.ip, principal.asset.ip Directly mapped from the principalIp field.
principalMac principal.mac Converted to lowercase. Merged into the principal.mac array.
principalPort principal.port Converted to an integer. Directly mapped from the principalPort field.
prin_ip2 principal.ip, principal.asset.ip Directly mapped from the prin_ip2 field.
prin_url principal.url Directly mapped from the prin_url field.
priority security_result.priority Mapped to a priority level based on its value: 1 -> HIGH_PRIORITY, 2 -> MEDIUM_PRIORITY, 3 -> LOW_PRIORITY, other -> UNKNOWN_PRIORITY.
ProcessID principal.process.pid Converted to a string. Directly mapped from the ProcessID field.
ProcessName principal.process.file.full_path, target.process.file.full_path If EventID is 4689, it's mapped to target.process.file.full_path. Otherwise, it's mapped to principal.process.file.full_path.
prod_log_id metadata.product_log_id Directly mapped from the prod_log_id field.
protocol network.ip_protocol Converted to uppercase. If it's a number, it's converted to its corresponding IP protocol name. If it's "ICMP6", it's replaced with "ICMP". Directly mapped from the protocol field.
ProviderGuid metadata.product_deployment_id Directly mapped from the ProviderGuid field.
query network.dns.questions.name Directly mapped from the query field.
query_type network.dns.questions.type Renamed to question.type and merged into the network.dns.questions array. Mapped to a numerical value based on the DHCP query type.
radio additional.fields Added as a key-value pair to the additional.fields array with the key "radio".
reason additional.fields Added as a key-value pair to the additional.fields array with the key "reason".
rec_bytes network.received_bytes Converted to an unsigned integer. Directly mapped from the rec_bytes field.
RecordNumber metadata.product_log_id Converted to a string. Directly mapped from the RecordNumber field.
RelativeTargetName target.process.file.full_path Directly mapped from the RelativeTargetName field.
response_ip principal.ip, principal.asset.ip Directly mapped from the response_ip field.
rssi intermediary.asset.product_object_id Directly mapped from the rssi field.
sc_action security_result.action_details Directly mapped from the sc_action field.
sec_action security_result.action Merged into the security_result.action array.
server_ip client_ip Directly mapped to the client_ip field.
Severity security_result.severity Mapped to a severity level based on its value: "Info" -> INFORMATIONAL, "Error" -> ERROR, "Warning" -> MEDIUM, other -> UNKNOWN_SEVERITY.
sha256 target.file.sha256 Directly mapped from the sha256 field.
signature additional.fields Added as a key-value pair to the additional.fields array with the key "signature".
SourceAddress principal.ip, principal.asset.ip Directly mapped from the SourceAddress field.
SourceHandleId src.resource.id Directly mapped from the SourceHandleId field.
SourceModuleName observer.labels Added as a key-value pair to the observer.labels array with the key "SourceModuleName".
SourceModuleType observer.application Directly mapped from the SourceModuleType field.
SourcePort principal.port Converted to an integer. Directly mapped from the SourcePort field.
SourceProcessId src.process.pid Directly mapped from the SourceProcessId field.
source_client_ip client_ip Directly mapped to the client_ip field.
sport principal.port Converted to an integer. Directly mapped from the sport field.
src principal.ip, principal.asset.ip Directly mapped from the src field.
ssid network.session_id Directly mapped from the ssid field in JSON logs.
ssidName additional.fields Added as a key-value pair to the additional.fields array with the key "ssidName".
state additional.fields Added as a key-value pair to the additional.fields array with the key "state".
Status additional.fields Added as a key-value pair to the additional.fields array with the key "Status".
status_code network.http.response_code Converted to an integer. Directly mapped from the status_code field.
SubjectDomainName principal.administrative_domain Directly mapped from the SubjectDomainName field.
SubjectLogonId principal.resource.attribute.labels Added as a key-value pair to the principal.resource.attribute.labels array with the key "SubjectLogonId".
SubjectUserName principal.user.userid Directly mapped from the SubjectUserName field.
SubjectUserSid principal.user.windows_sid Directly mapped from the SubjectUserSid field.
targetHost target.hostname, target.asset.hostname Converted to an IP address if possible. Otherwise, parsed to extract the hostname and mapped to target.hostname and target.asset.hostname.
TargetHandleId target.resource.id Directly mapped from the TargetHandleId field.
TargetLogonId principal.resource.attribute.labels Added as a key-value pair to the principal.resource.attribute.labels array with the key "TargetLogonId" if it's different from SubjectLogonId.
TargetProcessId target.process.pid Directly mapped from the TargetProcessId field.
TargetUserName target.user.userid Directly mapped from the TargetUserName field.
TargetUserSid target.user.windows_sid Directly mapped from the TargetUserSid field.
Task additional.fields Converted to a string. Added as a key-value pair to the additional.fields array with the key "Task".
timestamp metadata.event_timestamp The seconds field is used to create a timestamp.
ts metadata.event_timestamp If ts is empty, it's created by combining tsDate, tsTime, and tsTZ. If it contains "", it's parsed to extract the integer value. Then, it's parsed as a timestamp using various formats.
type security_result.summary, metadata.product_event_type Directly mapped from the type field in JSON logs. Also used as eventSummary and metadata.product_event_type in some cases.
url target.url, principal.url Directly mapped from the url field.
url1 target.url Directly mapped from the url1 field.
user target.user.group_identifiers Merged into the target.user.group_identifiers array.
user_id target.user.userid Directly mapped from the user_id field.
UserID principal.user.windows_sid Directly mapped from the UserID field.
UserName principal.user.userid Directly mapped from the UserName field.
user_agent network.http.user_agent Directly mapped from the user_agent field.
userId target.user.userid Directly mapped from the userId field.
vap additional.fields Added as a key-value pair to the additional.fields array with the key "vap".
VirtualAccount security_result.about.labels Added as a key-value pair to the security_result.about.labels array with the key "VirtualAccount".
wiredLastSeen security_result.detection_fields Converted to a string. Added as a key-value pair to the security_result.detection_fields array with the key "wiredLastSeen".
wiredMacs intermediary.mac Converted to lowercase. Merged into the intermediary.mac array.
WorkstationName principal.hostname, principal.asset.hostname Directly mapped from the WorkstationName field.

Changes

2024-03-19

  • Added a Grok pattern to map the sending device IP address to "intermediary.ip".

2024-02-06

  • Parsed logs where "eventSummary" is "cli_set_rad_parms" or "cli_set_rad_pmksa_parms".
  • Mapped "group" and "attr" to "additional.fields".

2023-12-26

  • Parsed logs containing "eventSummary" as "status changed" and "changed STP role".

2023-10-09

  • Set "sec_res.action" to "BLOCK" when "pattern" is in "1 all", "deny all", or "Group Policy Deny".
  • Set "sec_res.action" to "ALLOW" when "pattern" is in "0 all", "allow all", or "Group Policy Allow".

2023-07-19

  • Bug-Fix -
  • Parsed unparsed syslog logs of type "firewall".

2023-07-14

  • Enhancement -
  • for type "splash_auth" mapped "event_type" to "USER_LOGIN".
  • for type "device_packet_flood", "packet_flood" mapped "event_type" to "GENERIC_EVENT".
  • for type "vpn_connectivity_change", "wpa_deauth", "wpa_auth" mapped "event_type" to "STATUS_UPDATE".
  • Mapped "agent" to "network.http.parsed_user_agent".
  • If "protocol" == "47" then mapped "network.ip_protocol" to "GRE".
  • If "protocol" == "103" then mapped "network.ip_protocol" to "PIM".

2023-07-04

  • Enhancement -
  • Used key-value filters, instead of a Grok pattern, to parse the logs of type "urls", "firewall", "vpn_firewall".

2023-06-16

  • Enhancement -
  • Mapped "src" to "principal.ip"
  • Mapped "dst" to "target.ip"
  • Mapped "protocol" to "network.ip_protocol"
  • Mapped "sport" to "principal.port"
  • Mapped "dport" to "target.port"
  • Mapped "mac" to "principal.mac".
  • Mapped "pattern" to "security_result.description".

2023-06-09

  • Enhancement -
  • Mapped 'metadata.event_type' to 'USER_LOGOUT' when 'type' = '8021x_deauth'.
  • Mapped 'radio','vap','reason','is_8021x','instigator','band' to 'additional.fields' for 'type' = 'disassociation'.

2023-05-26

  • Enhancement -
  • For type "security_filtering_file_scanned" modified "metadata.event_type" from "STATUS_UPDATE" to "SCAN_FILE".
  • Added Grok pattern to parse syslog logs.
  • Mapped "ip" to "principal.ip"
  • Mapped "mac" to "principal.mac".

2023-03-03

  • Enhancement -
  • Added Grok pattern to parse logs which have the field "ip_flow_end".
  • Mapped "natsrcIp" mapped "principal.nat_ip".
  • Mapped "natsrcport" mapped "principal.nat_port".

2022-11-25

  • Enhancement -
  • Added support for unparsed JSON logs, network_dns query logs and failing syslog+kv_data logs.
  • Mapped "metadata.eventType" to RESOURCE_CREATION, FILE_UNCATEGORIZED, SETTING_MODIFICATION, NETWORK_UNCATEGORIZED,
  • GROUP_UNCATEGORIZED, PROCESS_LAUNCH, PROCESS_TERMINATION, STATUS_UNCATEGORIZED, SYSTEM_AUDIT_LOG_UNCATEGORIZED,
  • USER_LOGOUT, USER_LOGIN, RESOURCE_PERMISSIONS_CHANGE, USER_RESOURCE_ACCESS based on "EventID" for json logs.
  • Mapped "DisabledPrivilegeList", "EnabledPrivilegeList" to "target.user.attribute.permissions".
  • Mapped "GroupMembership" to "target.user.group_identifiers".
  • Mapped "AccessList" to "target.resource.attribute".
  • Mapped "auth_mechanism" to "extensions.auth.mechanism".
  • Mapped "question" to "network.dns.questions".
  • Set "security_result.priority" based on "priority" value.
  • Mapped "RecordNumber" to "metadata.product_log_id".

2022-10-06

  • Enhancement -
  • Mapped "dvc" to "intermediary.hostname".
  • Mapped "eventType" to "metadata.product_event_type".
  • Mapped "pattren" to "security_result.action_details".
  • Mapped "principalMac" to "principal.mac".
  • Mapped "principalIp" to "principal.ip".
  • Added null check for "dstIp" prior mapping to udm.

2022-07-04

  • Enhancement -
  • When "protocol" is equal to "47" then set "protocol" to "GRE".
  • When "protocol" is equal to "50" then set "protocol" to "ESP".
  • Added kv block when "eventType" is equal to "events".
  • Mapped "identity" to "target.user.userid".
  • Mapped "last_known_client_ip" to "principal.ip".
  • When "eventSummary" is equal to "association".
  • Mapped "client_ip" to "principal.ip";
  • Mapped "client_mac" to "principal.mac".
  • Mapped "rssi" to "intermediary.asset.product_object_id".
  • Mapped "channel" to "security_result.detection_fields".
  • Mapped "aid" to "network.session_id".

2022-06-15

  • Enhancement -
  • Mapped "lastSeen", "firstSeen", "wiredLastSeen" to "security_result.detection_fields".
  • Mapped "wiredMacs" to "intermediary.mac".
  • Mapped "type" to "security_result.summary".
  • Mapped "description" to "security_result.description".
  • Mapped "deviceSerial" to "_target_hardware.serial_number".
  • Mapped "deviceName" to "target.hostname".
  • Mapped "ssidName", "clientId", "clientDescription" to "additional.fields".
  • Mapped "eventData.client_mac" to "principal.mac".
  • Mapped "eventData.identity" to "principal.hostname".
  • Mapped "eventData.aid" to "principal.asset_id".
  • Mapped "organizationId" to "principal.resource.id".
  • Mapped "eventData.group" to "principal.group.group_display_name".
  • Mapped "eventData.client_ip" to "principal.ip".
  • Mapped "occurredAt" to "metadata.event_timestamp".

2022-05-04

  • Enhancement - Added mapping for hostname.

2022-04-13

  • Enhancement - Added parsing of logs of JSON type.