Meraki Event Log

Last updated
Save as PDF

The event log can be used to track a number of events occurring across a network. This article describes how to navigate the event log and filter out extraneous information for troubleshooting and monitoring purposes.

Learn more with these free online training courses on the Meraki Learning Hub:

Monitoring, Reporting, and Alerts

Sign in with your Cisco SSO or create a free account to start training.

Using the Event Log

Each Meraki network has its own event log, accessible under Network-wide > Monitor > Event log. In Combined Dashboard Networks, click the drop-down menu at the top of the page and select the event log for one of the following options:

for access points to display information about all MR wireless access points in the network.
for security appliances to display information about the MX security appliance in this network.
for switches to display information about all MS switches in the network.
for endpoints to display information about all managed SM clients in the network.
for cameras to display information about all MV cameras in the network.
for sensors to display information about all MT sensors in the network.

Note: If a device is offline (and remains powered on), it will continue to gather the information that populates the event log and store it locally. Once the device comes back online, this information will then be uploaded to dashboard with the events keeping their original timestamps.

Filtering the Event Log

While the event log provides a thorough timeline of events on the network, it is usually unnecessary to view all events across all endpoints. The following options are available to filter down the event log as needed:

Filtering by Client or Cisco Meraki Device

Filtering events to a specific connected end-user device can help troubleshoot individual connectivity issues, including IP addressing and network authentication. Entering the MAC address, hostname, or custom name in the Client field will display only events affecting that client, excluding other client information and device events.

An additional, product-specific field can be used to filter events relevant to a specific device in the network. This can be helpful when troubleshooting a particular Meraki device on the network, or a client connected directly to a specific device.

Filtering by Date and Time

The event log shows all events for clients and endpoints, starting with the most recent event by default. This time frame can be adjusted using the Before field, displaying only events that happened at or before the specified time.

The event log time shares the time zone set for the network itself. More information on changing this time zone can be found in Changing the Dashboard Network Time Zone.

Filtering by Event Type

Even when filtering by a single device or client, there can be quite a few events. Selecting specific events to display or excluding specific event types can significantly decrease the amount of data to sort through.

Each Meraki product offers a different variety of reported events, as listed below:

MX Security Appliance

The following types of events will be reported by MX security appliances:

AnyConnect VPN: AnyConnect VPN connectivity events
Appliance status: Primary uplink events
Auth: Splash page authentication
BGP: BGP notification and session events
Cellular: 3G/4G connectivity (see 3G/4G Cellular Failover with USB Modems)
Client VPN: Client VPN connectivity events
Client Status: Client connectivity
DHCP: DHCP leases and related errors (see Event type DHCP Lease Filling Up My Event log)
DHCPv6: DHCPv6 Neighbour Advertisements (NA) and Prefix Delegation (PD) events
Events dropped: Too many events were generated too quickly, creating an Events Dropped event
Filtering: Content filtering and Security center URL blocks (see Content Filtering Powered By Cisco Talos)
IP conflict: Detected IP conflicts on the network (see: Troubleshooting DHCP Conflicts)
Intrusion Detection: IDS (Advanced Security license only)
Meraki VPN: AutoVPN connectivity events
Network-Based Application Recognition (see Next-gen Traffic Analytics - Network-Based Application Recognition (NBAR) Integration)
Non-Meraki / Client VPN: Non-Meraki and Client VPN connectivity events
Non-Meraki VPN: Non-Meraki VPN negotiation
OSPF: Events related to OSPF routing
RADIUS: Events related to RADIUS and MAB authentication
Radius Proxy: Radius Proxy and Radius Server status events
Route tracking: Route connection change and network test events
Status: Port carrier changes
VRRP: Warm spare transition
Web caching: Web cache events

MR Access Points

The following types of events will be reported by MR access points:

802.11: Wireless association and disassociations
802.1X: RADIUS authentication and deauthentications
AI-Enhanced RPM (see AI-Powered Auto RF: Use AI to Bring Meraki Towards RF Excellence)
Adaptive Policy: Adaptive Policy state changes
Air Marshal: Packet floods and wireless security events
AutoRF: Channel scans and TX power changes
Auth: Splash page authentication
DFS: Events related to Dynamic Frequency Selection (DFS)
DHCP: DHCP leases and related errors (see Event type DHCP Lease Filling Up My Event log)
Events dropped: Too many events were generated too quickly, creating an Events Dropped event
IP conflict: Detected IP conflicts on the network (see: Troubleshooting DHCP Conflicts)
L3 roaming: Events related to Wireless Layer 3 Roaming
Meraki VPN: VPN tunnel drops and connectivity events
Network-Based Application Recognition (see Next-gen Traffic Analytics - Network-Based Application Recognition (NBAR) Integration)
RADIUS: Events related to RADIUS and MAB authentication
Radius Proxy: Radius Proxy and Radius Server status events
Status: Port carrier changes
WPA: WPA authentication and deauthentications

To learn more about specific events visit: Common wireless event log messages.

Systems Manager endpoints

The following types of events will be reported by managed Systems Manager endpoints:

Command Line: Command line request events
Endpoint management: Detailed information about changes in endpoint management
Live Tools: Recent usage of live tools on client endpoints
Remote Desktop: Usage of the remote desktop tool

MS Switch

The following types of events will be reported by MS switches:

802.1X: Events related to client authentication and de-authentication
Access Control: Events related to client network access
DHCP: DHCP-related errors (when DHCP is enabled on a L3 interface)
Events dropped: Too many events were generated too quickly thus creating an Events Dropped event
Multicast: Events related to multicast
OSPF: Events related to OSPF protocol
RADIUS: Events specific to RADIUS protocol
Spanning Tree: Events related to the Spanning Tree Protocol
Status: Port carrier changes
Switch port: Events related to switchports
Switch status: Events related to power supply and temperature
VRRP: Events related to Warm Spare

To learn more, visit MS event log Entries and Definitions.

MV Cameras

The following types of events will be reported by MV cameras:

Camera: Events related to camera components
DHCP: DHCP leases and related errors (see Event type DHCP Lease Filling Up My Event log)
Events dropped: Too many events were generated too quickly, creating an Events Dropped event
Status: Port carrier changes

MT Sensors

Types of events will be reported by MT sensors are described in detail in Common Sensor (MT) Event Log Messages