Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Overview

We are providing you with the steps to integrate your  Cisco Meraki  with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log and Netflows forwarding.

Steps of Configuration

Netflow Redirection

NetFlow can be configured in Dashboard on the Network-wide > Configure > General page. NetFlow configuration settings are found under the Reporting header, with the following options: 

  • NetFlow traffic reporting
    • A drop-down menu to enable or disable NetFlow functionality
  • NetFlow collector IP
    • This configuration option only appears if NetFlow traffic reporting is set to "Enabled: send netFlow traffic statistics"
    • Used to configure the IPv4 address of the NetFlow collector
  • NetFlow collector port
    • This configuration option only appears if NetFlow traffic reporting is set to "Enabled: send netFlow traffic statistics"
    • Used to configure the UDP port 9995( that is the port OTM CCE will be listening on).

Reference:  https://documentation.meraki.com/MX/Monitoring_and_Reporting/NetFlow_Overview

Syslog Redirection

Syslog servers can be defined in the Dashboard from Network-wide > Configure > General.

Click the Add a Syslog server link to define a new server.  The CCE IP address, UDP port number, 514 and the roles(you may say something like "Seceon CCE") to send to the server need to be defined.  Multiple syslog servers can be configured.

If the Flows the role is enabled on an MX security appliance, logging for individual firewall rules can be enabled/disabled on the Security appliance > Configure > Firewall page, under the Logging column:


Reference: https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration


VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.


Using CCE SERVER

sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA” command should be running on the CCE server to check whether or not we are getting logs.



  • No labels