Configure Cisco Meraki Collector

The Alert Logic Cisco Meraki collector is designed to enable Alert Logic to run our common firewall analytics on data from your Meraki devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your Cisco Meraki devices will result in the creation of incidents that can be managed in the Alert Logic console.

Alert Logic accepts data exported in syslog format from individual Cisco Meraki devices, as outlined below.

Data Type MDR Value Additional Value Notes
Flows
  • Detection of suspicious communication with internet hosts that Alert Logic considers threat actors
  • Threat hunting
  • Automatic response
  • Investigation
 
Security Events Cisco Meraki Security Events provide limited information about the cause of alert. For increased visibility, Alert Logic recommends also collecting network traffic using an Alert Logic agent.
Other data
  • Investigation
 

You must complete the following to send data from your Cisco Meraki device(s) to Alert Logic:

  1. Download and install the remote collector
  2. Configure Cisco Meraki device
  3. Verify log collection

For more information about syslog configuration in Cisco Meraki, refer to Cisco’s Syslog Server Overview and Configuration documentation.

Download and install the remote collector

To send data from your Cisco Meraki device(s) to Alert Logic, you must first download and install the remote collector in the same network as the Cisco Meraki device(s).

To download and install the remote collector:

  1. Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
  2. Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the Cisco Meraki device(s).
  3. While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the Cisco Meraki device.

Configure Cisco Meraki device

Once the remote collector is installed, the Cisco Meraki device needs to be configured to send data to the collector.

To configure the Cisco Meraki device:

  1. Log in to the Cisco Meraki Dashboard and navigate to Network-wide > Configure > General.
  2. Click Add a syslog server.
  3. In the Server IP field, enter the IP address of the remote collector (noted in step 3 of Download and install the remote collector.)
  4. In the Port field, enter 1515.
  5. From the listed roles, select Security events, Flows, and URL.

    You may select additional roles to send more data to Alert Logic to use in investigations; however, only the roles listed above are needed to generate security findings.

  6. Click ADD. Wait a few minutes for the application to create and appear in your application list. Do not click ADD again.

In the Applications List tab, if you configured your application correctly, within approximately 10 minutes you will see Configured next to the application. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.

Verify log collection

Once you have installed the remote collector and configured the Cisco Meraki device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.

  1. Log in to the Alert Logic console and use one of the following links to access the Search console with criteria already entered:
  2. Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
  3. Click Search.
  4. Verify logs display for the remote collector.