Configure a Cisco Meraki firewall to send logs to Arctic Wolf

You can configure Cisco Meraki® to send the necessary logs to Arctic Wolf® for security monitoring.

Note:
  • This syslog integration provides Arctic Wolf with endpoint data about common firewall and AP syslog events. To give Arctic Wolf access to data about security events and configuration changes, complete the cloud configuration: Configure Cisco Meraki for Arctic Wolf monitoring.
  • Notify your Concierge Security® Team (CST) if you change your Cisco Meraki firewall configuration settings after the initial setup.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to the Meraki Dashboard with administrator permissions

Configure log forwarding

  1. Sign in to the Meraki Dashboard with administrator permissions.
  2. If your account is a member of multiple organizations, in the Organization list, select the organization that you want to configure.
  3. In the Network list, select the network that you want to configure.
  4. In the navigation menu, click Network-wide > Configure > General.
  5. In the Reporting section, click Add a syslog server.
  6. In the Traffic Analysis section, select Detailed: collect destination hostnames.
  7. In the Syslog servers section, configure these settings:
    • Server address — Enter the IP address of your Arctic Wolf sensor.
    • Port — Keep the default UDP port value of 514.
    • Roles — Select Security events, Flows, and URL.
      Note: If you require AnyConnect logs, also select the WAN appliance event role.
  8. Click Update syslog servers.
  9. In the navigation menu, click Security & SD-WAN > Firewall.
  10. In the Layer 3 section, select the Syslog checkbox for every rule.
  11. Click Save.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.