Meraki Logs into Office 365 Cloud App Security

SOLVED
BRYANQ1234
Here to help

Meraki Logs into Office 365 Cloud App Security

I am trying to pull the Meraki logs into Microsoft's Cloud App Security dashboard. Does anyone have experience with this? Each time we have tried, we get the below error message. 

 

Failed
Parsing failed for all logs.
Event_log.csv
  •  Log format does not match the expected format for Meraki - URLs log.

 

Microsoft provides an example log but there is not much instruction past this. 

 

Here is the Microsoft Help Article...

https://support.office.com/en-us/article/Web-traffic-logs-and-data-sources-for-Office-365-Cloud-App-...

1 ACCEPTED SOLUTION
BlakeRichardson
Kind of a big deal

According to the MS page you supplied it only supports Merakis URLs Log not the Event log that you are trying to import. You probably need to set it up as a Syslog connection and select URLs as the role.

 

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI

View solution in original post

10 REPLIES 10
BlakeRichardson
Kind of a big deal

According to the MS page you supplied it only supports Merakis URLs Log not the Event log that you are trying to import. You probably need to set it up as a Syslog connection and select URLs as the role.

 

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI

Thank you, this worked for us! 

Excellent glad to hear it.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI

@BRYANQ1234Did you just send the syslogs to a receiver and then export, and manually import into CAS, or did you setup the log receiver VM/docker image to handle the syslog directly?

@KarbonX1 So we setup an Linux VM on Azure and this is sending logs directly to CAS. Let me know if you have specific questions. I had to task one of our contractors to help with this but I can get further details if needed. 

 

thank you! 

@BRYANQ1234 I was wondering if you could help out with a question i have. I have setup an VM Ubuntu with docker and linked it to the CAS but i am getting an error:

 

"Failed
Parsing failed for all logs.
  •  
     
    SyslogCatchAll-2018-04-23.txt
     
    Log format does not match the expected format for Meraki - URLs log."
     

Hello, I have a clarification question, can office 365 cas receive and analyze Meraki logs directly or it must be a manual export import? 

Thank you

Has anyone come up with an easy method for this? I have a robust analyzer but no run of the mill syslogger. 

The current implementation only accepts url logs as stated above.  You will have to deploy a Cloud Discovery server on-prem or in Azure.  Once completed you forward your logs to this server on UDP 514 and the logs will start flowing into your Cloud App Security Portal.

 

https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

Dartanian14
Comes here often

So we got this up and running with an on-prem Ubuntu 18.04. Its pushing logs in but it's not telling us much. It is just a bunch of IP addresses in the dashboard with no real meat -- which I kind of expected because it's only URL logs. Anyone else have experience with this? Is this what you are experiencing as well?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.