Security

Configure Splunk for Meraki MX

Let's take a look at how to Configure Splunk for Meraki MX firewall appliance to gather data from the device for security events.

In looking at firewall upgrades for home lab and network, I have been taking a look at a variety of firewalls. ย Recently, I was able to getย my hands on a Meraki MX64 to try out. ย Just a note here, I am going to prepare another post on my thoughts of the Meraki security appliance – likes and dislikes. ย One thing became especially clear to me that a con I will mention here is the lack of built in logging visibility from the Meraki cloud interface. ย Many suggested that syslog was the only answer here. ย I of course looked to Splunk as a known that I had used in the past. ย Let’s take a look at how to configure Splunk for Meraki MX firewall logging.

Configure Splunk for Meraki MX

First things first, the install of Splunk is very easy to get up and running on a Linux box and literally takes minutes from install to logging into the Splunk web interface.

Pull down the latest version of Splunk from the website. ย You can pull down the Enterprise version which will operate for 30 days and then transition over to the free version which has limits on amount of data and indexing that can be done. ย For home use, you most likely won’t hit those limits.

After installing the flavor of Linux you want to use – in this case using Ubuntu 16.04, copy over the installation file (.deb) for Ubuntu to the Linux box/VM. ย I simply copied over to the /tmp folder.

Run the command below to install replacing the exact filename. ย Here I am installing version 6.5.1

sudo dpkg -i tmp/splunk-6.5.1-xxxxxx-linux-2.6-amd64.deb

Below are a few of the screenshots during the installation process.

splunk01

Very quickly you get to the message that the web interface is already available.

splunk02
You will be prompted to change the default password which out of the box isย adminย changeme.

splunk03
Changing the password.

splunk04

Setting up Splunk

We need to add a data input listener for Splunk on the port we want to use to send across from our Meraki environment.

merakisplunk08

Here I used portย 1514 but this can be any port you choose that is available.

merakisplunk09

To send log data from Meraki to your Splunk server, you enable and add your syslog server inย Network-wide >> General >> Reporting >> Syslog servers. ย You can enable certain roles to send different types of data. ย Below I have mainly all the roles available for the MX appliance.

 

merakisplunk07

After adding the syslog server pointing to my Splunk installation with aย sourcetype set toย meraki, I started seeing data come in.

merakisplunk01

Splunk Meraki App

Splunk these days is very modular with the ability to integrate pre developed apps that extend and augment the functionality of Splunk to be better tailored to certain vendors, devices, etc. ย There is an app available for download in Splunkbase calledย TA-meraki. ย This app extends the logging capabilities of Splunk.

merakisplunk02

After adding the app, I could see the action type now as well as had tons of other data fields.

merakisplunk03

The TA-meraki app adds many data fields that can be used to filter and display your data.

merakisplunk04

A note here also –ย Inbound firewall logging is enabled by default as you see here.

merakisplunk05

However, any outbound rules have logging set to disabled by default. ย These would need to be enabled.

merakisplunk06

Thoughts

In my opinion setting up syslogging with Meraki is essential if you truly want to consider this platform for a security solution. ย The process to configure Splunk for Meraki MX is not difficult and with the modular nature of Splunk now with the meraki apps, the data that can be captured and indexed is very robust. ย Look for an upcoming post on my complete thoughts with the Meraki MX security appliances.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.