Skip to main content
Cisco Meraki Documentation

Syslog Event Types and Log Samples

  1. Last updated
  2. Save as PDF

Overview

This article provides a list of most common syslog event types, description of each event, and a sample output of each log.

 

 

Meraki MX Security Appliance

 

Event type Description Sample Syslog Message
events vpn connectivity change 1380664922.583851938 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='false'
events vpn connectivity change 1380664994.337961231 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='true'
events uplink connectivity change Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down
events uplink connectivity change Dec 6 08:45:24 192.168.1.1 1 1386337535.803931423 MX84 events failover to wan1
events uplink connectivity change Dec 6 08:43:43 192.168.1.1 1 1386337435.108107268 MX84 events failover to cellular
events uplink connectivity change Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up
events dhcp no offers Sep 11 16:12:41 192.168.10.1 1 1599865961.535491111 MX84 events dhcp no offers for mac A4:83:E7:XX:XX:XX host = 192.168.10.1
events dhcp lease Sep 11 16:05:15 192.168.10.1 1 1599865515.687171503 MX84 events dhcp lease of ip 192.168.10.68 from server mac E0:CB:BC:0F:XX:XX for client mac 8C:16:45:XX:XX:XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4
urls HTTP GET requests 1374543213.342705328 MX84 urls src=192.168.1.186:63735 dst=69.58.188.40:80 mac=58:1F:AA:CE:61:F2 request: GET https://...
flows (deprecated, this has been updated in MX18.101 and newer to "firewall")  L3 FW rule matched 1374543986.038687615 MX84 flows src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all

firewall 

cellular_firewall

vpn_firewall

 L3 FW rule matched 1374543986.038687615 MX84 firewall src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all
ids-alerts ids signature matched 1377449842.514782056 MX84 ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=74.125.140.132:80
ids-alerts ids signature matched 1377448470.246576346 MX84 ids-alerts signature=119:15:1 priority=2 timestamp=1377448470.238064 direction=egress protocol=tcp/ip src=192.168.111.254:56240
security_event ids_alerted ids signature matched signature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80
dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit
exe detection
security_event security_filtering_file_scanned Malicious file blocked by amp url=http://www.eicar.org/download/eicar.com.txt src=192.168.128.2:53150
dst=188.40.238.250:80 mac=98:5A:EB:E1:81:2F
name='EICAR:EICAR_Test_file_not_a_virus-tpd'
sha256=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
disposition=malicious action=block
security_event security_filtering_disposition_change File issued retrospective malicious disposition

name=EICAR:EICAR_Test_file_not_a_virus-tpd
sha256=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
disposition=malicious action=allow
events purging ISAKMP-SA 1578424543.894083034 labs_appliance events Site-to-site VPN: purging ISAKMP-SA spi=9d1bb66d7ddc5cf0:d98cd0ed59e82f13
events purged ISAKMP-SA 1578424543.907937833 labs_appliance events Site-to-site VPN: purged ISAKMP-SA spi=9d1bb66d7ddc5cf0:d98cd0ed59e82f13
events ISAKMP-SA deleted 1578424543.918665436 labs_appliance events Site-to-site VPN: ISAKMP-SA deleted 172.24.23.6[4500]-172.24.23.10[4500] spi:9d1bb66d7ddc5cf0:d98cd0ed59e82f13
events IPsec-SA request queued due to no phase 1 found 1578424549.917669303 labs_appliance events Site-to-site VPN: IPsec-SA request for 172.24.23.10 queued due to no phase1 found
events failed to get sainfo 1578426208.829677788 labs_Z1 events Site-to-site VPN: failed to get sainfo
events failed to pre-process ph2 packet 1578426208.915091184 labs_Z1 events Site-to-site VPN: failed to pre-process ph2 packet (side: 1, status: 1)
events phase2 negotiation failed due to time up waiting for phase1 1578424408.321445408 labs_appliance events Site-to-site VPN: phase2 negotiation failed due to time up waiting for phase1. ESP 172.24.23.10[0]->172.24.23.6[0]
events initiate new phase 1 negotiation 1578424549.931720602 labs_appliance events Site-to-site VPN: initiate new phase 1 negotiation: 172.24.23.6[500]<=>172.24.23.10[500]
events ISAKMP-SA established 1578424550.965202127 labs_appliance events Site-to-site VPN: ISAKMP-SA established 172.24.23.6[4500]-172.24.23.10[4500] spi:fb903f191f1c7566:4dc90bd31c7884c1
events initiate new phase 2 negotiation 1578424550.975495647 labs_appliance events Site-to-site VPN: initiate new phase 2 negotiation: 172.24.23.6[4500]<=>172.24.23.10[4500]
events IPsec-SA established 1578424551.120459981 labs_appliance events Site-to-site VPN: IPsec-SA established: ESP/Tunnel 172.24.23.6[4500]->172.24.23.10[4500] spi=241280704(0xe61a6c0)

The priority score is based on Snort values. The priorities are as follows:

1 - high priority alert
2 - medium priority alert
3 - low priority alert
4 - very low priority alert

 Some values under the Sample Syslog Message are variables (i.e. hostname of the devices, timestamps, etc.) and will be different to Syslog messages generated by another device.

For the urls event type, the URL in the request part of the message will be truncated at 500 characters.

Content filtering events are sent to Syslog. The ‘URLs’ role has to be added to the Syslog server config for them to be sent.

Meraki MS Switches  

Event type Description Sample Syslog Message
events port status change 1379967288.409907239 MS220_8P events port 3 status changed from 100fdx to down
events port status change 1379967295.290863061 MS220_8P events port 3 status changed from down to 100fdx
events spanning-tree guard state change 1379970281.577982192 MS220_8P events Port 5 received an STP BPDU from 78:FE:3D:90:7F:43 so the port was blocked
events spanning-tree interface role change 1379970476.195563376 MS220_8P events Port 5 changed STP role from designated to alternate
events spanning-tree interface role change 1379969188.448725072 MS220_8P events Port 1 changed STP role from root to designated
events spanning-tree interface role change 1379970772.184373058 MS220_8P events Port 5 changed STP role from alternate to root
events spanning-tree interface role change 1379972501.619445657 MS220_8P events Port 1 changed STP role from disabled to designated
events blocked DHCP server response 1379988354.643337272 MS220_8P events Blocked DHCP server response from 78:FE:3D:90:7F:48 on VLAN 100
events 802.1X deauthentication 1380653487.002002676 MS220_8P events type=8021x_deauth port='' identity='employee@ikarem.com'
events 802.1X eap success 1380653443.857790533 MS220_8P events type=8021x_eap_success port='' identity='employee@ikarem.com'
events 802.1X authentication 1380653443.868786613 MS220_8P events type=8021x_auth port='3' identity='employee@ikarem.com'
events 802.1X client deauthentication 1380653486.994003049 MS220_8P events type=8021x_client_deauth port='3' identity='employee@ikarem.com'
events Virtual router collision 1379988354.643337272 MS320_24P events Received VRRP packet for virtual router 1 from a.a.a.a on VLAN x with incompatible configuration
events VRRP transition 1379988354.643337272 MS320_24P events changed from VRRP passive to VRRP active because it has not received packets from the active
events Power supply inserted 1379988354.643337272 MS320_24P events Power supply xxxx-xxxx-xxxx was inserted into slot 1
events OSPF future enhancement
events DHCP Server future enhancement

Meraki MR Access Points  

Event type Event description Sample Syslog Message
events 802.11 association 1380653443.857790533 MR18 events type=association radio='0' vap='1' channel='6' rssi='23' aid='1813578850'
events 802.11 disassociation 1380653443.857790533 MR18 events type=disassociation radio='0' vap='1' channel='6' reason='8' instigator='2' duration='11979.728000' auth_neg_dur='1380653443.85779053324000' last_auth_ago='5.074000' is_wpa='1' full_conn='1.597000' ip_resp='1.597000' ip_src='192.168.111.251' arp_resp='1.265000' arp_src='192.168.111.251' dns_server='192.168.111.1' dns_req_rtt='1380653443.85779053335000' dns_resp='1.316000' aid='1813578850'
events WPA authentication 1380653443.857790533 MR18 events type=wpa_auth radio='0' vap='1' aid='1813578850'
events WPA deauthentication 1380653443.857790533 MR18 events type=wpa_deauth radio='0' vap='1' aid='1813578850'
events WPA failed authentication attempt 1380653443.857790533 MR18 events type=disassociation radio='0' vap='3' channel='6' reason='2' instigator='3' duration='6.003000' auth_neg_failed='1' is_wpa='1' aid='113930199'
events 802.1X failed authentication attempt 1380653443.857790533 MR18 events type=8021x_eap_failure radio='0' vap='3' identity='woody8@gmail.com' aid='1701992265'
events 802.1X deauthentication 1380653443.857790533 MR18 events type=8021x_deauth radio='0' vap='3' identity='woody8@gmail.com' aid='1701992265'
events 802.1X authentication 1380653443.857790533 MR18 events type=8021x_eap_success radio='0' vap='3' identity='woody8@gmail.com' aid='1849280097'
events splash authentication 1380653443.857790533 MR18 events type=splash_auth ip='10.87.195.250 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'
events wireless packet flood detected 1380653443.857790533 MR18 events type=device_packet_flood packet='deauth' device='00:18:0A:27:43:80' radio='0' state='start' alarm_id='4' dos_count='25' inter_arrival='10000'
events wireless packet flood end 1380653443.857790533 MR18 events type=device_packet_flood radio='0' state='end' alarm_id='4' reason='left_channel'
events rogue SSID detected* airmarshal_events type= rogue_ssid_detected ssid='' bssid='02:18:5A:AE:56:00' src='02:18:5A:AE:56:00' dst='02:18:6A:13:09:D0' wired_mac='00:18:0A:AE:56:00' vlan_id='0' channel='157' rssi='21' fc_type='0' fc_subtype='5'
  SSID spoofing detected* airmarshal_events type= ssid_spoofing_detected ssid='t-nebojsa_devel1' vap='2' bssid='02:18:5A:14:04:E2' src='02:18:5A:14:04:E2' dst='FF:FF:FF:FF:FF:FF' channel='48' rssi='39' fc_type='0' fc_subtype='8'
urls** HTTP GET requests Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down1380653443.857790533 MR18 urls src=192.168.111.253:50215 dst=204.154.94.81:443 mac=F8:1E:DF:E2:EF:F1 request: UNKNOWN https://www.evernote.com/...
flows flow allowed by Layer 3 firewall 1380653443.857790533 MR18 flows allow src=192.168.111.253 dst=192.168.111.5 mac=F8:1E:DF:E2:EF:F1 protocol=tcp sport=54252 dport=80
flows flow denied by Layer 3 firewall 1380653443.857790533 MR18 flows deny src=10.20.213.144 dst=192.168.111.5 mac=00:F4:B9:78:58:01 protocol=tcp sport=52421 dport=80

 

* rogue_ssid_detected and ssid_spoofing_detected have been removed in MR29+  firmware

 

**urls request: UNKNOWN is likely because the URL is encrypted 
 
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Stage
    Final
  2. Tags
    1. syslog