We have a SIEM tool that consumes syslog from an MX appliance to aggregate/analyze traffic and track connections between internal assets and external malicious actors.
We are currently able to parse syslog messages from an MX appliance to determine:
1. the external IP/domain connected with
2. the internal IP(s), ports interacted with
3. traffic type and encryption status
4. whether the connection initiated internally or externally
It is also of vital importance to determine the volume of data transferred both in and out of a network over the connection between the source and destination. Currently, the MX flow logs do not support this. I know many other firewalls include this in their flow log equivalents, and I know there are ways to view and export this info from the MX dashboard. However, we need a passive, automated way to consume this data without implementing manual workarounds. We would like to see Meraki include this in its flow logs as it is obviously helpful in narrowing down problem points.
Said another way, the current syslog messages resemble the following:
<134>1 1536610215.9836262378 XXX_XXX_X0X0 flows allow src=10.10.12.10 dst=192.218.232.24 mac=C7:E4:B3:E2:51:28 protocol=udp sport=51185 dport=1900
and we would want them to include something similar to the fields at the end of the message:
<134>1 1536610215.9836262378 XXX_XXX_X0X0 flows allow src=10.10.12.10 dst=192.218.232.24 mac=C7:E4:B3:E2:51:28 protocol=udp sport=51185 dport=1900 duration="30" sent_bytes="84" rcvd_bytes="84"