Skip to content
Find out how we support MDR.

Cisco Meraki (Log collector)

Log collector

You must have the "Firewall" integrations license pack to use this feature.

Note

An API-based integration of Cisco Meraki is also available. See Cisco Meraki (API).

You can integrate Cisco Meraki with Sophos Central so that it sends data to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they are called a data collector. The data collector receives third-party data and sends it to the Sophos Data Lake.

Note

You can add multiple Cisco Meraki firewalls to the same data collector.

To do this, set up your Cisco Meraki integration in Sophos Central, then configure one firewall to send logs to it. Then configure your other Cisco Meraki firewalls to send logs to the same Sophos data collector.

You don't have to repeat the Sophos Central part of the setup.

The key steps to add an integration are as follows:

  • Add an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your data collector.
  • Configure Meraki to send data to the data collector.

Requirements

Data collectors have system and network access requirements. To check that you meet them, see Data collector requirements.

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center and click Integrations.
  3. Click Cisco Meraki.

    If you've already set up connections to Meraki, you see them here.

  4. In Integrations, click Add.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration setup steps you configure your VM to receive data from Meraki. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.
  2. Enter a name and description for the data collector.

    If you've already set up a data collector integration you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure Meraki to send data to your data collector.

  6. Select a Protocol.

    You must use the same protocol when you configure Meraki to send data to your data collector.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the data collector. You'll need this later when you configure Meraki to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure Cisco Meraki

To configure Meraki to send data to your data collector, do as follows.

  1. Sign in to the Meraki Dashboard.
  2. Click Network-wide > Configure > General.
  3. Scroll down to Reporting and click Add a syslog server.
  4. Enter the following connection details for your data collector:

    • IP address. This is the syslog IP address you set in Sophos Central.
    • Port number.

      You must enter the same settings you entered in Sophos Central when you added the integration.

  5. Add the following roles to configure the data sent to your data collector:

    • Event logs for the services running on your devices. For example Security events, Appliance event log.
    • Flows. These are traffic flow messages that include source and destination information, and port numbers.
    • IDS Alerts. These are alerts from the intrusion detection system.
  6. In You have unsaved changes, click Save.

If the Flows role is enabled on an MX security appliance, logging for individual firewall rules can be turned on or off on the Security appliance > Configure > Firewall page, in the Logging column.

More resources

This video takes you through setting up the integration.

For more information on configuring syslog servers on Meraki devices, refer to the Cisco documentation. See Syslog Server Overview and Configuration.