Hello Myron,
We would like to install the TA-meraki app for our meraki data but I need some clarification on a couple of things. We use heavy forwarders in our environment. Please let me know if you have any questions. Thanks for your time.
Sorry for the long delay. Apparently my subscriptions to be notified of forum posts regarding this tag was not working.
1 On our Heavy Forwarder, we can add a different UDP port for this data. Meraki can also forward on this port. Do we need to install the app on the heavy forwarder?
Yes and no (optional). There is one piece that executes on index "TRANSFORMS-meraki_date_clipper". Basically all it does is clip out the unix timestamp in preference to the syslog timestamp. Completely unnecessary (unless you want to save a few bytes in your log).
2 Do we need to also install the app in the cloud?
Yes
3> Or should we only install in the cloud and add the port on the heavy forwarder and force the sourcetype for that port to be “meraki”?
You'll still need the sourcetype by Meraki, which would be done on your heavy forwarder... but you'll need this on your search head (i.e. the cloud)