Cisco Meraki Logs

Configure your Cisco Meraki to write all logs to a single file and to send logs to a Syslog server.

View more details on how to configure Meraki Syslog.

deb (Debian/Ubuntu/Mint)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.15.1-amd64.deb
sudo dpkg -i filebeat-oss-7.15.1-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.15.1-x86_64.rpm
sudo rpm -vi filebeat-oss-7.15.1-x86_64.rpm

macOS

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.15.1-darwin-x86_64.tar.gz 
tar xzvf filebeat-oss-7.15.1-darwin-x86_64.tar.gz

Windows

• Download the Filebeat Windows zip file from the official downloads page.
• Extract the contents of the zip file into C:\Program Files.
• Rename the filebeat-<version>-windows directory to Filebeat.
• Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
• Run the following commands to install Filebeat as a Windows service:

cd 'C:\Program Files\Filebeat'
.\install-service-filebeat.ps1`

deb/rpm /etc/filebeat/filebeat.yml
mac/win <EXTRACTED_ARCHIVE>/filebeat.yml

Configure the Meraki host path in the Filebeat configuration file.

filebeat.inputs:
- type: udp
  max_message_size: 10MiB
  host: "0.0.0.0:1200"

  fields:
    type: cisco-meraki
  fields_under_root: true
  encoding: utf-8
  ignore_older: 6h

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Let's check the configuration file is syntactically correct by running directly inside the terminal. If the file is invalid, will print an error loading config file error message with details on how to correct the problem.

deb/rpm

sudo  -e -c /etc//.yml

macOS

cd <EXTRACTED_ARCHIVE>
./ -e -c .yml

Windows

cd <EXTRACTED_ARCHIVE>
.\.exe -e -c .yml

deb/rpm

sudo systemctl enable filebeat
sudo systemctl start filebeat

mac

./filebeat

Windows

Start-Service filebeat

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Filebeat is the most popular way to send logs to ELK due to its reliability & minimal memory footprint. It is the leading Beat out of the entire collection of open-source shipping tools, including Auditbeat, Metricbeat & Heartbeat.

Filebeat's origins begin from combining key features from Logstash-Forwarder & Lumberjack & is written in Go. Within the logging pipeline, Filebeat can generate, parse, tail & forward common logs to be indexed within Elasticsearch. The harvester is often compared to Logstash but it is not a suitable replacement & instead should be used in tandem for most use cases.

Earlier versions of Filebeat suffered from a very limited scope & only allowed the user to send events to Logstash & Elasticsearch. More recent versions of the shipper have been updated to be compatible with Redis & Kafka.

A misconfigured Filebeat setup can lead to many complex logging concerns that this filebeat.yml wizard aims to solve. Just a couple of examples of these include excessively large registry files & file handlers that error frequently when encountering deleted or renamed log files. Tracking numerous pipelines using this shipper can become tedious for self hosted Elastic Stacks so you may wish to consider our Hosted ELK service as a solution to this.

If you need any further assistance with migrating your log data to ELK we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.