The tags beginning with network.meraki identify log events generated by the Cisco Meraki Network Security products.
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay.
The full tag must have at least three levels. The first two are fixed as network.meraki. The third level identifies the log event type and must be one of events, flows, ids-alerts, urls, or airmarshal_events. The fourth element is not required.
Therefore, the valid tags include:
Once stored in Devo, the events will be stored in data tables with these names respectively:
For more information, read more about Devo tags.
Devo Relay rule
You will need to define a type-4 relay rule that identifies the event type from its content and applies the corresponding tag. The rule identifies the event's type by the source port that it was received on and by whether it matches a format defined by a regular expression.
When the source conditions are met, the relay will apply a tag that begins with network.meraki. A regular expression in the Source Data field describes the format of the event data and identifies the event type as a capturing group. This capturing group is extracted from the event and used to create the third level of the tag.
Define the rule using the following values (the port number can be any free port on your relay):
- Source Port → 13005
- Source Data → ^[^ ]+ [^ ]+ ([^ ]+) .*
- Target Tag → network.meraki.\\D1
- Target Message → \\D0
- Check the Stop Processing and Send without tag checkboxes
Configure log forwarding from Meraki
There are a couple of ways to configure output to a Syslog Server in Meraki. Consult the vendor documentation for instructions.
If your environment has multiple MX devices using a site-to-site VPN, and the logging is done to a Devo Relay outside the VPN, be sure that you create a site-to-site firewall rule that will permit outbound traffic to the relay. Consult the vendor documentation for instructions for creating an outbound traffic rule. In this rule, the Source should be the Internet port 1 address of the sending machine. The Destination should be the IP address of the Devo Relay and the Dst Port should be the relay port specified in the Devo Relay rule.