Home > General Administration > Monitoring and Reporting > Syslog Event Types and Log Samples

Syslog Event Types and Log Samples

Overview

This article provides a list of all currently supported syslog event types, description of each event, and a sample output of each log.

Meraki MX Security Appliance

Event type Description Sample Syslog Message
events vpn connectivity change 1380664922.583851938 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='false'
events vpn connectivity change 1380664994.337961231 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='true'
events uplink connectivity change Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down
events uplink connectivity change Dec 6 08:45:24 192.168.1.1 1 1386337535.803931423 MX84 events failover to wan1
events uplink connectivity change Dec 6 08:43:43 192.168.1.1 1 1386337435.108107268 MX84 events failover to cellular
events uplink connectivity change Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up
urls HTTP GET requests 1374543213.342705328 MX84 urls src=192.168.1.186:63735 dst=69.58.188.40:80 mac=58:1F:AA:CE:61:F2 request: GET http://bit.ly/17zJTvJ
flows IP session initiated 1374543986.038687615 MX84 ows src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all
events client dhcp lease 1374542655.786233493 MX84 events dhcp lease of ip 192.168.1.156 from server mac 00:18:0A:11:30:84 for client mac 00:22:15:3E:CC:16 from router 192.168.1.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4
ids-alerts ids signature matched 1377449842.514782056 MX84 ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=74.125.140.132:80
ids-alerts ids signature matched 1377448470.246576346 MX84 ids-alerts signature=119:15:1 priority=2 timestamp=1377448470.238064 direction=egress protocol=tcp/ip src=192.168.111.254:56240
security_event ids_alerted ids signature matched signature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80
dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit
exe detection
security_event security_filtering_file_scanned Malicious file blocked by amp url=http://www.eicar.org/download/eicar.com.txt src=192.168.128.2:53150
dst=188.40.238.250:80 mac=98:5A:EB:E1:81:2F
name='EICAR:EICAR_Test_file_not_a_virus-tpd'
sha256=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
disposition=malicious action=block
security_event security_filtering_disposition_change File issued retrospective malicious disposition name=EICAR:EICAR_Test_file_not_a_virus-tpd
sha256=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
disposition=malicious action=allow

Meraki MS Switches  

Event type Description Sample Syslog Message
events port status change 1379967288.409907239 MS220_8P events port 3 status changed from 100fdx to down
events port status change 1379967295.290863061 MS220_8P events port 3 status changed from down to 100fdx
events spanning-tree guard state change 1379970281.577982192 MS220_8P events Port 5 received an STP BPDU from 78:FE:3D:90:7F:43 so the port was blocked
events spanning-tree interface role change 1379970476.195563376 MS220_8P events Port 5 changed STP role from designated to alternate
events spanning-tree interface role change 1379969188.448725072 MS220_8P events Port 1 changed STP role from root to designated
events spanning-tree interface role change 1379970772.184373058 MS220_8P events Port 5 changed STP role from alternate to root
events spanning-tree interface role change 1379972501.619445657 MS220_8P events Port 1 changed STP role from disabled to designated
events blocked DHCP server response 1379988354.643337272 MS220_8P events Blocked DHCP server response from 78:FE:3D:90:7F:48 on VLAN 100
events 802.1x deauthentication 1380653487.002002676 MS220_8P events type=8021x_deauth port='' identity='employee@ikarem.com'
events 802.1x eap success 1380653443.857790533 MS220_8P events type=8021x_eap_success port='' identity='employee@ikarem.com'
events 802.1x authentication 1380653443.868786613 MS220_8P events type=8021x_auth port='3' identity='employee@ikarem.com'
events 802.1x client deauthentication 1380653486.994003049 MS220_8P events type=8021x_client_deauth port='3' identity='employee@ikarem.com'
events Virtual router collision 1379988354.643337272 MS320_24P events Received VRRP packet for virtual router 1 from a.a.a.a on VLAN x with incompatible configuration
events VRRP transition 1379988354.643337272 MS320_24P events changed from VRRP backup to VRRP master because it has not received packets from the master
events Power supply inserted 1379988354.643337272 MS320_24P events Power supply xxxx-xxxx-xxxx was inserted into slot 1
events OSPF future enhancement
events DHCP Server future enhancement

Meraki MR Access Points  

Event type Event description Sample Syslog Message
events 802.11 association 1380653443.857790533 MR18 events type=association radio='0' vap='1' channel='6' rssi='23' aid='1813578850'
events 802.11 disassociation 1380653443.857790533 MR18 events type=disassociation radio='0' vap='1' channel='6' reason='8' instigator='2' duration='11979.728000' auth_neg_dur='1380653443.85779053324000' last_auth_ago='5.074000' is_wpa='1' full_conn='1.597000' ip_resp='1.597000' ip_src='192.168.111.251' arp_resp='1.265000' arp_src='192.168.111.251' dns_server='192.168.111.1' dns_req_rtt='1380653443.85779053335000' dns_resp='1.316000' aid='1813578850'
events WPA authentication 1380653443.857790533 MR18 events type=wpa_auth radio='0' vap='1' aid='1813578850'
events WPA deauthentication 1380653443.857790533 MR18 events type=wpa_deauth radio='0' vap='1' aid='1813578850'
events WPA failed authentication attempt 1380653443.857790533 MR18 events type=disassociation radio='0' vap='3' channel='6' reason='2' instigator='3' duration='6.003000' auth_neg_failed='1' is_wpa='1' aid='113930199'
events 802.1x failed authentication attempt 1380653443.857790533 MR18 events type=8021x_eap_failure radio='0' vap='3' identity='woody8@gmail.com' aid='1701992265'
events 802.1x deauthentication 1380653443.857790533 MR18 events type=8021x_deauth radio='0' vap='3' identity='woody8@gmail.com' aid='1701992265'
events 802.1x authentication 1380653443.857790533 MR18 events type=8021x_eap_success radio='0' vap='3' identity='woody8@gmail.com' aid='1849280097'
events splash authentication 1380653443.857790533 MR18 events type=splash_auth ip='10.87.195.250 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'
events wireless packet flood detected 1380653443.857790533 MR18 events type=device_packet_flood packet='deauth' device='00:18:0A:27:43:80' radio='0' state='start' alarm_id='4' dos_count='25' inter_arrival='10000'
events wireless packet flood end 1380653443.857790533 MR18 events type=device_packet_flood radio='0' state='end' alarm_id='4' reason='left_channel'
events rogue SSID detected airmarshal_events type= rogue_ssid_detected ssid='' bssid='02:18:5A:AE:56:00' src='02:18:5A:AE:56:00' dst='02:18:6A:13:09:D0' wired_mac='00:18:0A:AE:56:00' vlan_id='0' channel='157' rssi='21' fc_type='0' fc_subtype='5'
  SSID spoofing detected airmarshal_events type= ssid_spoofing_detected ssid='t-nebojsa_devel1' vap='2' bssid='02:18:5A:14:04:E2' src='02:18:5A:14:04:E2' dst='FF:FF:FF:FF:FF:FF' channel='48' rssi='39' fc_type='0' fc_subtype='8'
urls HTTP GET requests Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down1380653443.857790533 MR18 urls src=192.168.111.253:50215 dst=204.154.94.81:443 mac=F8:1E:DF:E2:EF:F1 request: UNKNOWN https://www.evernote.com/...
flows flow allowed by Layer 3 firewall 1380653443.857790533 MR18 flows allow src=192.168.111.253 dst=192.168.111.5 mac=F8:1E:DF:E2:EF:F1 protocol=tcp sport=54252 dport=80
flows flow denied by Layer 3 firewall 1380653443.857790533 MR18 flows deny src=10.20.213.144 dst=192.168.111.5 mac=00:F4:B9:78:58:01 protocol=tcp sport=52421 dport=80
You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 5747

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community