The logs from a Meraki firewall are marked with the firewall.meraki.type.subtype tag.

The Meraki firewall can be configured to report the logs to a remote syslog server. You can specify the destination port and syslog facility. Since the logs can't be sent via TPC or tagged at the source, they are reported to an In-house Relay that tags them as firewall.meraki.type.subtype and forwards them to Devo.

Tag structure

The elements type and subtype are fixed and they identify the type and format of the event that is being sent. These elements can have one of the following values (corresponding to the different log types): 

  • firewall.meraki.flows 
  • firewall.meraki.urls 
  • firewall.meraki.ids-alerts 

For more information on how tags work, please check Introduction to tags article.

In-house Relay configuration

First step is to install an In-house Relay for the correct tagging of the logs.

Then you should define a new rule where all the events coming to the port (e.g. port 13003/tedp) are tagged as firewall.meraki.type.subtype.

  • This rule also covers the adding of the corresponding type.subtype to the firewall.meraki depending on the events nature. 
  • This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event.

To create the rule use the following fields:

  • Source Port → 13003
  • Source Data → ^[^ ]+ [^ ]+ ([^ ]+) .*
  • Target Tag → firewall.meraki.\\D1
  • Target Message → \\D0
  • Check the following boxes:
    • Stop Processing 
    • Send without tag

  • Apply the new settings.

Meraki configuration

Syslog servers can be defined in the Dashboard area from: 

  • MX Security Appliance → Configure → Alerts and administration → Logging
  • MX Access Points Configure → Network-wide settings → Logging 

  • Click Add a syslog server to define a new server.
  • Setup the IP address, UDP port number (i.e. 13003) and the roles to send to the In-house Relay.

If the environment has multiple MX devices using site-to-site VPN, and the logging is done to an In-house Relay on the remote side of the VPN, it is necessary to create a site-to-site firewall rule. This is done from the Configure → Site-to-site VPN → Organization-wide settings → Add a rule area.

  • The source IP address needs to be the Internet port 1 address of the MX sending the syslog messages back to the In-house Relay.
  • The destination IP address is the IP address of the In-house Relay. Change the destination port number to the port where the In-house Relay should configure the events (i.e. 13003). 

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.