Configure Cisco Meraki Collector

The Alert Logic Cisco Meraki collector is designed to enable Alert Logic to run our common firewall analytics on data from your Meraki devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your Cisco Meraki devices will result in the creation of incidents that can be managed in the Alert Logic console.

You can collect log data in two ways:

  • Central API collection

  • Remote syslog collection

Different information is available in each of these sources. Central API collection provides administrative logging and is most useful for threat hunting and correlation. Remote syslog collection is required for flow logs, which provide details about communication by end-user devices on your network. Alert Logic recommends using both collection methods for maximum security findings.

Setting up the API collector

You must complete the following to set up log collection from Cisco Meraki using its API.

  1. Set up API access
  2. Configure API collection from the Alert Logic console
  3. Verify API log collection

To complete these steps, you must have access to a Cisco Meraki Dashboard account with administrative privileges.

Set up API access

To set up API collection, you need to enable API access and then generate an API key from the Cisco Meraki Dashboard.

To enable API access and generate an API key:

  1. Log in to your Cisco Meraki Dashboard account.

    You need to have access to organizational level administrative privileges.

  2. Identify and note the Organization ID at the bottom of the page.
  3. Navigate to Organization > Settings.
  4. Under Dashboard API access, select the check box to enable access to the Cisco Meraki Dashboard API.
  5. Navigate to My Profile.
  6. Under API access, click Generate new API key.

For more information on how to use the API to retrieve network events, refer to the Cisco Meraki Dashboard API documentation. Make sure to include your API key in the request headers for authentication.

Configure API collection from the Alert Logic console

After you obtain the Cisco Meraki API key and the Organization ID, you must complete the log collection process in the Alert Logic console. This configuration is an organization-level integration, which means you can configure more than one instance of Cisco Meraki collection. This capability is useful when more than one instance of the Cisco Meraki application exists in your organization.

To access the Application Registry page, click the menu icon (). Click Configure, and then click Application Registry.

To add a new application collection:

  1. In the Application Registry, click the Cisco tile, and then click Cisco Meraki.
  2. In Application Name, enter a new name for this Cisco Meraki collection instance.
  3. Under Collection Method and Policy, in Cisco Meraki Domain, enter the Cisco Meraki domain location. In Organization ID, enter the Organization ID you noted earlier.
  4. In Meraki API Key, enter the API key you noted earlier.
  5. Under Product Types Names, select which Cisco Meraki product types you want to poll.
  6. (Optional) Enter a Collection Start time using a format such as 2020-01-01T16:00:00Z. If the Collection Start field is left blank, only logs generated after you configure this collection instance will be collected.

    The collection start time determines how far back you want Alert Logic to collect logs if data already exists in your account, Alert Logic can only collect logs up to 30 days prior to the date you configured this collection instance.

  7. Click ADD. Wait a few minutes for the application to create and appear in your application list. Do not click ADD again.

In the Applications List tab, if you configured your application correctly, within approximately 10 minutes you will see Configured next to the application. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.

Validate API log collection

Once you have configured the API collection, it is recommended to verify that log collection is successful. It may take up to approximately 10 minutes for Alert Logic to begin receiving logs.

  1. In the Application Registry, click Configured Applications.
  2. Click the collector you created.
  3. Click View Logs. The Search console will display, with a query for these logs.
  4. Click Search.
  5. Verify logs display for the remote collector.

Setting up the remote syslog collector

You must complete the following to send data from your Cisco Meraki device(s) to Alert Logic:

  1. Download and install the remote collector
  2. Configure Cisco Meraki device
  3. Verify log collection

For more information about syslog configuration in Cisco Meraki, refer to Cisco’s Syslog Server Overview and Configuration documentation.

Alert Logic accepts data exported in syslog format from individual Cisco Meraki devices, as outlined below.

Data Type MDR Value Additional Value Notes
Flows
  • Detection of suspicious communication with internet hosts that Alert Logic considers threat actors
  • Threat hunting
  • Automatic response
  • Investigation
 
Security Events Cisco Meraki Security Events provide limited information about the cause of alert. For increased visibility, Alert Logic recommends also collecting network traffic using an Alert Logic agent.
Other data
  • Investigation
 

Download and install the remote collector

To send data from your Cisco Meraki device(s) to Alert Logic, you must first download and install the remote collector in the same network as the Cisco Meraki device(s).

To download and install the remote collector:

  1. Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
  2. Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the Cisco Meraki device(s).
  3. While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the Cisco Meraki device.

Configure Cisco Meraki device

Once the remote collector is installed, the Cisco Meraki device needs to be configured to send data to the collector.

To configure the Cisco Meraki device:

  1. Log in to the Cisco Meraki Dashboard and navigate to Network-wide > Configure > General.
  2. Click Add a syslog server.
  3. In the Server IP field, enter the IP address of the remote collector (noted in step 3 of Download and install the remote collector.)
  4. In the Port field, enter 1515.
  5. From the listed roles, select Security events, Flows, and URL.

    You may select additional roles to send more data to Alert Logic to use in investigations; however, only the roles listed above are needed to generate security findings.

  6. Click ADD. Wait a few minutes for the application to create and appear in your application list. Do not click ADD again.

In the Applications List tab, if you configured your application correctly, within approximately 10 minutes you will see Configured next to the application. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.

Verify log collection

Once you have installed the remote collector and configured the Cisco Meraki device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.

  1. Log in to the Alert Logic console and use one of the following links to access the Search console with criteria already entered:
  2. Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
  3. Click Search.
  4. Verify logs display for the remote collector.