Cisco Meraki Logs

Ship logs from Cisco Meraki to Logstash

Follow the steps below to send your observability data to Logit.io

Logs

Filebeat is a lightweight shipper that enables you to send your Cisco Meraki logs to Logstash and Elasticsearch. Configure Filebeat using the pre-defined examples below to start sending and analysing your Meraki logs.

Install Integration

Please click on the Install Integration button to configure your stack for this source.

Configure Syslog Server

Configure your Cisco Meraki to write all logs to a single file and to send logs to a Syslog server.

View more details (opens in a new tab) on how to configure Meraki Syslog.

Install Filebeat

To get started you will need to install filebeat. To do this you have two main options:

Choose the filebeat (opens in a new tab) ZIP file (Windows ZIP x86_64) or
Choose the Microsoft Software Installer MSI (opens in a new tab) file (Windows MSI x86_64 (beta))

To successfully install filebeat and set up the required Windows service you will need to have administrator access.

If you have chosen to download the zip file:

Extract the contents of the zip file into C:\Program Files.
Rename the extracted folder to filebeat
Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, run the following commands to install filebeat as a Windows service:

cd 'C:\Program Files\filebeat'

.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here (opens in a new tab).

If you have chosen to download the filebeat.msi file:

double-click on it and the relevant files will be downloaded.

At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.

Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:

.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here (opens in a new tab).

The default configuration file is located at:
C:\Program Files\filebeat\filebeat.yml

Locate the configuration file

/etc/filebeat/filebeat.yml

Configure Filebeat.yml

The configuration file below is pre-configured to send data to your Logit.io Stack.

Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at /etc/filebeat/filebeat.yml

filebeat.yml

####################### Logit.io Filebeat Configuration ########################
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: udp
  max_message_size: 10MiB
  host: "0.0.0.0:514"
  enabled: true
 
  fields:
    type: ciscomeraki
  fields_under_root: true
  encoding: utf-8
  ignore_older: 12h
 
# ================================== Outputs ===================================
output.logstash:
  hosts: ["@logstash.host:@logstash.sslPort"]
  loadbalance: true
  ssl.enabled: true

It's a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com (opens in a new tab) is a great choice.

Validate Configuration

In the directory where Filebeat is installed, run the following command to validate the installation:

.\@beatname.exe test config -c @beatname.yml

If the yml file is invalid, @beatname will print a description of the error. For example, if the output.logstash section was missing, @beatname would print no outputs are defined, please define one under the output section

Start filebeat

To start Filebeat, run in Powershell:

Start-Service filebeat

How to diagnose no data in Stack

If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.

Launch OpenSearch Dashboards to View Your Data

Launch OpenSearch Dashboards

Cisco Meraki Logging Overview

Meraki devices generate logs that record various events and activities that occur on the network. These logs are used to monitor network performance, troubleshoot issues, and identify security threats.

Here are some common types of logs generated by Meraki devices:

System Logs: These logs record system-level events such as device startup, shutdown, and configuration changes.

Traffic Logs: These logs record details about network traffic such as source and destination IP addresses, protocols, and ports.

Security Logs: These logs record security-related events such as intrusion attempts, malware detections, and VPN connections.

Wireless Logs: These logs record wireless-specific events such as client associations, disassociations, and authentication failures.

Switch Logs: These logs record switch-specific events such as port status changes, VLAN assignments, and link failures.

Meraki devices provide real-time visibility into network activity through the dashboard, which can be used to search and filter logs based on various criteria such as time range, device, event type, and severity. The logs can also be exported for further analysis or integration with third-party tools.

Cisco Firepower ClickHouse