Cisco Meraki

The IBM QRadar DSM for Cisco Meraki collects Syslog events from a Cisco Meraki device.

To integrate Cisco Meraki with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the Cisco Meraki DSM RPM on your QRadar Console.
  2. Configure your Cisco Meraki device to send Syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add a Cisco Meraki log source on the QRadar Console. The following table describes the parameters that require specific values to collect Syslog events from Cisco Meraki:
    Table 1. Cisco Meraki Syslog log source parameters
    Parameter Value
    Log Source type Cisco Meraki
    Protocol Configuration Syslog
    Log Source Identifier

    The IPv4 address or host name that identifies the log source.

    If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

    Tip: Cisco Meraki does not send events with RFC3164 or RFC5424 headers. As a result, log sources are auto discovered with the log source identifier of the packet IP of the event instead of the hostname or IP address that is in the header. Use the Syslog redirect protocol to use the value in the header instead of the value in the packet IP. For more information, see the QRadar: Syslog Redirect Protocol FAQ documentation on the support website (https://www.ibm.com/support/pages/qradar-syslog-redirect-protocol-faq).