Skip to content

Cisco Meraki

Cisco Meraki is a family of wireless, switching, security, enterprise mobility management (EMM) and security cameras, all centrally managed from the web.

App Function

This app recognizes and identifies several different types of Meraki log messages. From this identification the app knows what data to expect within the log message. The app then parses that data from the log message and sets a variety of user tags, depending on the type of message being parsed.

Vendor Documentation

Incoming Log Format

Cisco Meraki logs are composed of a numeric date-timestamp, followed by a Meraki device id, followed by a word indicating the message type, followed by key-value pairs with the data relevant to the event. Each key and value is separated by = and the pairs are separated by spaces (). Where appropriate the values are delimited using double-quotes (").

Parsed Metadata Fields

As mentioned, this app only parses data fields for a single message type: messages with mnemonic APF-3-AUTHENTICATION_TRAP. From the data contained within those messages the following user tags are generated:

User Tag Name Example High-Cardinality?
Request POST
Source to Destination ->
Leased IP
Server IP
Leased Mac A0:AA:00:EE:11:D1
Mac to IP Assignment A0:AA:00:EE:11:D1 ->
Server IP
Client Mac 00:0A:E6:3E:FD:E1
User Local To Remote IP ->
Status User Local To Remote IP connect ->
Remote IP
Local IP
User CN Bob Bars A.
User OU Cloud
Device FR_R23_6
Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
SrcPort dynamic
DstPort https
Protocol udp
Matched Signature Id 1:28423:1
Priority High
Destination Mac 98:5A:EB:E1:81:2F
Direction ingress
Event Type association
Category Web Advertisements
Connection Type connect

Log Examples


1566076596.550975289 FR_R23_6 urls src=
dst= mac=00:0A:E6:3E:FD:E1 agent='Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/76.0.3809.100 Safari/537.36' request: POST

Security Event

1563886829.297656222 MX250 security_event ids_alerted
signature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip
src= dst= message: EXPLOIT-KIT Multiple
exploit kit single digit exe detection

DHCP Lease

1563902014.000926451 MX250 events dhcp lease of ip
for client mac A0:AA:00:EE:11:D1 from router on subnet with dns,