Skip to content

Cisco Meraki

Cisco Meraki is a family of wireless, switching, security, enterprise mobility management (EMM) and security cameras, all centrally managed from the web.

App Function

This app recognizes and identifies several different types of Meraki log messages. From this identification the app knows what data to expect within the log message. The app then parses that data from the log message and sets a variety of user tags, depending on the type of message being parsed.

Vendor Documentation

Incoming Log Format

Cisco Meraki logs are composed of a numeric date-timestamp, followed by a Meraki device id, followed by a word indicating the message type, followed by key-value pairs with the data relevant to the event. Each key and value is separated by = and the pairs are separated by spaces (). Where appropriate the values are delimited using double-quotes (").

Parsed Metadata Fields

As mentioned, this app only parses data fields for a single message type: messages with mnemonic APF-3-AUTHENTICATION_TRAP. From the data contained within those messages the following user tags are generated:

User Tag Name Example High-Cardinality?
SrcIP 11.22.33.44
DstIP 55.66.77.88
Request POST
Source to Destination 151.101.52.238 -> 192.168.128.2
Leased IP 192.168.1.103
Server IP 11.22.33.44
Leased Mac A0:AA:00:EE:11:D1
Mac to IP Assignment A0:AA:00:EE:11:D1 -> 192.168.1.103
Server IP 192.168.1.254
Client Mac 00:0A:E6:3E:FD:E1
User Local To Remote IP bob.l.bar: 1.2.3.4 -> 4.3.2.1
Status User Local To Remote IP bob.l.bar: connect 1.2.3.4 -> 4.3.2.1
Remote IP 44.33.22.11
Local IP 11.22.33.44
User CN Bob Bars A.
User OU Cloud
Device FR_R23_6
Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
SrcPort dynamic
DstPort https
Protocol udp
Matched Signature Id 1:28423:1
Priority High
Destination Mac 98:5A:EB:E1:81:2F
Direction ingress
Event Type association
Url https://adserver-us.adtech.advertising.com/...
Category Web Advertisements
User scott.l.foo
Connection Type connect

Log Examples

HTTP POST Request

1566076596.550975289 FR_R23_6 urls src=192.168.1.1:54060
dst=192.168.1.9:443 mac=00:0A:E6:3E:FD:E1 agent='Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/76.0.3809.100 Safari/537.36' request: POST
http://192.168.1.9:443/common/EventPoller.jsp

Security Event

1563886829.297656222 MX250 security_event ids_alerted
signature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip
src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple
exploit kit single digit exe detection

DHCP Lease

1563902014.000926451 MX250 events dhcp lease of ip 192.168.1.103
for client mac A0:AA:00:EE:11:D1 from router 192.168.1.254 on subnet
255.255.255.0 with dns 10.91.0.99, 10.91.0.100