Cisco Meraki
Cisco Meraki is a family of wireless, switching, security, enterprise mobility management (EMM) and security cameras, all centrally managed from the web.
App Function
This app recognizes and identifies several different types of Meraki log messages. From this identification the app knows what data to expect within the log message. The app then parses that data from the log message and sets a variety of user tags, depending on the type of message being parsed.
Vendor Documentation
- Cisco Meraki
- Cisco Meraki (wikipedia)
- Syslog Server Overview and Configuration
- Syslog Event Types and Log Samples
Incoming Log Format
Cisco Meraki logs are composed of a numeric date-timestamp, followed
by a Meraki device id, followed by a word indicating the message type,
followed by key-value pairs with the data relevant to the event.
Each key and value is separated by = and the pairs are separated
by spaces (). Where appropriate the values are delimited using
double-quotes (").
Parsed Metadata Fields
As mentioned, this app only parses data fields for a single message
type: messages with mnemonic APF-3-AUTHENTICATION_TRAP. From
the data contained within those messages the following user tags are
generated:
| User Tag Name | Example | High-Cardinality? |
|---|---|---|
SrcIP |
11.22.33.44 |
☑ |
DstIP |
55.66.77.88 |
☑ |
Request |
POST |
☑ |
Source to Destination |
151.101.52.238 -> 192.168.128.2 |
☑ |
Leased IP |
192.168.1.103 |
☑ |
Server IP |
11.22.33.44 |
☑ |
Leased Mac |
A0:AA:00:EE:11:D1 |
☑ |
Mac to IP Assignment |
A0:AA:00:EE:11:D1 -> 192.168.1.103 |
☑ |
Server IP |
192.168.1.254 |
☑ |
Client Mac |
00:0A:E6:3E:FD:E1 |
☑ |
User Local To Remote IP |
bob.l.bar: 1.2.3.4 -> 4.3.2.1 |
☑ |
Status User Local To Remote IP |
bob.l.bar: connect 1.2.3.4 -> 4.3.2.1 |
☑ |
Remote IP |
44.33.22.11 |
☑ |
Local IP |
11.22.33.44 |
☑ |
User CN |
Bob Bars A. |
|
User OU |
Cloud |
|
Device |
FR_R23_6 |
|
Agent |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 |
|
SrcPort |
dynamic |
|
DstPort |
https |
|
Protocol |
udp |
|
Matched Signature Id |
1:28423:1 |
|
Priority |
High |
|
Destination Mac |
98:5A:EB:E1:81:2F |
|
Direction |
ingress |
|
Event Type |
association |
|
Url |
https://adserver-us.adtech.advertising.com/... |
|
Category |
Web Advertisements |
|
User |
scott.l.foo |
|
Connection Type |
connect |
Log Examples
HTTP POST Request
1566076596.550975289 FR_R23_6 urls src=192.168.1.1:54060
dst=192.168.1.9:443 mac=00:0A:E6:3E:FD:E1 agent='Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/76.0.3809.100 Safari/537.36' request: POST
http://192.168.1.9:443/common/EventPoller.jsp
Security Event
1563886829.297656222 MX250 security_event ids_alerted
signature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip
src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple
exploit kit single digit exe detection
DHCP Lease