Cisco Meraki
LogZilla App Store application: Cisco Meraki
Overview
Cisco Meraki is a family of wireless, switching, security, enterprise mobility management (EMM) and security cameras, all centrally managed from the web.
Critical Configuration Requirement
Meraki devices MUST send logs to LogZilla's Raw Port (default: 516) instead of the standard syslog port (514).
Meraki's syslog implementation does not follow RFC standards. If Meraki devices send logs to the standard syslog port, LogZilla will treat them as malformed and they will not be processed correctly.
Required Configuration Steps
-
Configure Meraki devices to send logs to LogZilla's Raw Port:
- TCP: Port 516 (Syslog Raw Port)
- UDP: Port 516 (Syslog Raw UDP Port)
-
Verify LogZilla Raw Port settings in the LogZilla web interface:
- Navigate to Settings → System → Syslog-ng settings
- Confirm Raw Port configuration
-
Install the Cisco Meraki app from the LogZilla App Store
More information about Raw Port configuration can be found in Receiving Syslog Events.
App Function
The Cisco Meraki app recognizes and processes multiple types of Meraki log messages. The app identifies the message type, extracts relevant data elements, and creates user tags for analysis and filtering.
Vendor Documentation
- Cisco Meraki
- Cisco Meraki (wikipedia)
- Syslog Server Overview and Configuration
- Syslog Event Types and Log Samples
Incoming Log Format
Meraki logs use a non-standard format consisting of:
- Numeric timestamp - Unix epoch timestamp with microseconds
- Device identifier - Meraki device name or serial number
- Message type - Category of the logged event (e.g.,
urls,security_event,events) - Key-value pairs - Event-specific data separated by spaces
Key-value pairs use = as the separator, with values optionally enclosed in
double-quotes when they contain spaces or special characters.
Parsed Metadata Fields
The Cisco Meraki app parses data fields for multiple message types. From the data contained within those messages the following user tags are generated:
| Tagged | Tag Name | Example | Description |
|---|---|---|---|
| ☑ | SrcIP | 11.22.33.44 | Source IP address |
| ☑ | DstIP | 55.66.77.88 | Destination IP address |
| ☑ | Request | POST | HTTP request method |
| ☑ | Source to Destination | 151.101.52.238 -> 192.168.128.2 | Source to destination IP mapping |
| ☑ | Leased IP | 192.168.1.103 | DHCP leased IP address |
| ☑ | Server IP | 11.22.33.44 | Server IP address |
| ☑ | Leased Mac | A0:AA:00:EE:11:D1 | DHCP leased MAC address |
| ☑ | Mac to IP Assignment | A0:AA:00:EE:11:D1 -> 192.168.1.103 | MAC to IP address mapping |
| ☑ | Client Mac | 00:0A:E6:3E:FD:E1 | Client MAC address |
| ☑ | User Local To Remote IP | bob.l.bar: 1.2.3.4 -> 4.3.2.1 | User with local to remote IP mapping |
| ☑ | Status User Local To Remote IP | bob.l.bar: connect 1.2.3.4 -> 4.3.2.1 | Connection status with user and IP mapping |
| ☑ | Remote IP | 44.33.22.11 | Remote IP address |
| ☑ | Local IP | 11.22.33.44 | Local IP address |
User CN | Bob Bars A. | User common name | |
User OU | Cloud | User organizational unit | |
Device | FR_R23_6 | Meraki device identifier | |
Agent | Mozilla/5.0... | User agent string | |
SrcPort | dynamic | Source port | |
DstPort | https | Destination port | |
Protocol | udp | Network protocol | |
Matched Signature Id | 1:28423:1 | Security signature identifier | |
Priority | High | Event priority level | |
Destination Mac | 98:5A:EB:E1:81:2F | Destination MAC address | |
Direction | ingress | Traffic direction | |
Event Type | association | Wireless association event type | |
Url | https://adserver-us.adtech.advertising.com/... | Accessed URL | |
Category | Web Advertisements | Content category | |
User | scott.l.foo | Username | |
Connection Type | connect | Connection type |
Troubleshooting
Common Issues
Problem: Meraki logs not appearing in LogZilla
- Cause: Meraki device sending to standard syslog port (514)
- Solution: Reconfigure Meraki to send to Raw Port (516)
Problem: Meraki logs appear as unparsed messages
- Cause: Cisco Meraki app not installed or not processing Raw Port messages
- Solution: Install Cisco Meraki app from App Store and verify Raw Port configuration
Problem: Missing user tags on Meraki events
- Cause: Events not matching expected Meraki format patterns
- Solution: Verify Meraki device is sending logs in expected format (see examples below)
Log Examples
HTTP POST Request
text1566076596.550975289 FR_R23_6 urls src=192.168.1.1:54060 dst=192.168.1.9:443 mac=00:0A:E6:3E:FD:E1 agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36' request: POST http://192.168.1.9:443/common/EventPoller.jsp
Security Event
text1563886829.297656222 MX250 security_event ids_alerted signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection
DHCP Lease
text1563902014.000926451 MX250 events dhcp lease of ip 192.168.1.103 for client mac A0:AA:00:EE:11:D1 from router 192.168.1.254 on subnet 255.255.255.0 with dns 10.9.8.99, 10.9.8.100