Cisco Meraki
Cisco Meraki is a family of wireless, switching, security, enterprise mobility management (EMM) and security cameras, all centrally managed from the web.
App Function
This app recognizes and identifies several different types of Meraki log messages. From this identification the app knows what data to expect within the log message. The app then parses that data from the log message and sets a variety of user tags, depending on the type of message being parsed.
Vendor Documentation
- Cisco Meraki
- Cisco Meraki (wikipedia)
- Syslog Server Overview and Configuration
- Syslog Event Types and Log Samples
Incoming Log Format
Cisco Meraki logs are composed of a numeric date-timestamp, followed
by a Meraki device id, followed by a word indicating the message type,
followed by key-value pairs with the data relevant to the event.
Each key and value is separated by = and the pairs are separated
by spaces (). Where appropriate the values are delimited using
double-quotes (").
Parsed Metadata Fields
As mentioned, this app only parses data fields for a single message
type: messages with mnemonic APF-3-AUTHENTICATION_TRAP. From
the data contained within those messages the following user tags are
generated:
| User Tag Name | Example | High-Cardinality? |
|---|---|---|
SrcIP |
11.22.33.44 |
☑ |
DstIP |
55.66.77.88 |
☑ |
Request |
POST |
☑ |
Source to Destination |
151.101.52.238 -> 192.168.128.2 |
☑ |
Leased IP |
192.168.1.103 |
☑ |
Server IP |
11.22.33.44 |
☑ |
Leased Mac |
A0:AA:00:EE:11:D1 |
☑ |
Mac to IP Assignment |
A0:AA:00:EE:11:D1 -> 192.168.1.103 |
☑ |
Server IP |
192.168.1.254 |
☑ |
Client Mac |
00:0A:E6:3E:FD:E1 |
☑ |
User Local To Remote IP |
bob.l.bar: 1.2.3.4 -> 4.3.2.1 |
☑ |
Status User Local To Remote IP |
bob.l.bar: connect 1.2.3.4 -> 4.3.2.1 |
☑ |
Remote IP |
44.33.22.11 |
☑ |
Local IP |
11.22.33.44 |
☑ |
User CN |
Bob Bars A. |
|
User OU |
Cloud |
|
Device |
FR_R23_6 |
|
Agent |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 |
|
SrcPort |
dynamic |
|
DstPort |
https |
|
Protocol |
udp |
|
Matched Signature Id |
1:28423:1 |
|
Priority |
High |
|
Destination Mac |
98:5A:EB:E1:81:2F |
|
Direction |
ingress |
|
Event Type |
association |
|
Url |
https://adserver-us.adtech.advertising.com/... |
|
Category |
Web Advertisements |
|
User |
scott.l.foo |
|
Connection Type |
connect |
Configuration Requirements
Meraki logs do not match the RFC 3164 and RFC 5424 syslog standard formats. Consequently, the Meraki app requires that the Meraki device send it's (non-standard) logs to a specific port in LogZilla that can receive non-syslog messages. This port is called the Raw Port.
The port to use as the destination for Meraki logs is 516, by default. This
can be changed in the
LogZilla configuration settings
(this is called the Syslog Raw Port for TCP, or Syslog Raw UDP port
for UDP). More documentation about the Raw Port can be found in the
documentation at
LogZilla Network Communications.
Log Examples
HTTP POST Request
1566076596.550975289 FR_R23_6 urls src=192.168.1.1:54060
dst=192.168.1.9:443 mac=00:0A:E6:3E:FD:E1 agent='Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/76.0.3809.100 Safari/537.36' request: POST
http://192.168.1.9:443/common/EventPoller.jsp
Security Event
1563886829.297656222 MX250 security_event ids_alerted
signature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip
src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple
exploit kit single digit exe detection
DHCP Lease