Home > General Administration > Monitoring and Reporting > Syslog Event Types & Log Samples

Learn more about page titles
Syslog Event Types & Log Samples

Overview

This article provides a list of all currently supported syslog event types, description of each event, and a sample output of each log.

Meraki MX Security Appliance

Event type Description Sample Syslog Message
events vpn connectivity change 1380664922.583851938 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='false'
events vpn connectivity change 1380664994.337961231 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='true'
events uplink connectivity change Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down
events uplink connectivity change Dec 6 08:45:24 192.168.1.1 1 1386337535.803931423 MX84 events failover to wan1
events uplink connectivity change Dec 6 08:43:43 192.168.1.1 1 1386337435.108107268 MX84 events failover to cellular
events uplink connectivity change Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up
urls HTTP GET requests 1374543213.342705328 MX84 urls src=192.168.1.186:63735 dst=69.58.188.40:80 mac=58:1F:AA:CE:61:F2 request: GET http://bit.ly/17zJTvJ
flows IP session initiated 1374543986.038687615 MX84 ows src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all
events client dhcp lease 1374542655.786233493 MX84 events dhcp lease of ip 192.168.1.156 from server mac 00:18:0A:11:30:84 for client mac 00:22:15:3E:CC:16 from router 192.168.1.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4
ids-alerts ids signature matched 1377449842.514782056 MX84 ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=74.125.140.132:80
ids-alerts ids signature matched 1377448470.246576346 MX84 ids-alerts signature=119:15:1 priority=2 timestamp=1377448470.238064 direction=egress protocol=tcp/ip src=192.168.111.254:56240
security_event ids_alerted ids signature matched signature=1:28423:1 priority=1 timestamp=1468531589.810079
dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80
dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit
exe detection
security_event security_filtering_file_scanned Malicious file blocked by amp url=http://www.eicar.org/download/eicar.com.txt src=192.168.128.2:53150
dst=188.40.238.250:80 mac=98:5A:EB:E1:81:2F
name='EICAR:EICAR_Test_file_not_a_virus-tpd'
sha256=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
disposition=malicious action=block
security_event security_filtering_disposition_change File issued retrospective malicious disposition name=EICAR:EICAR_Test_file_not_a_virus-tpd
sha256=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
disposition=malicious action=allow

Meraki MS Switches  

Event type Description Sample Syslog Message
events port status change 1379967288.409907239 MS220_8P events port 3 status changed from 100fdx to down
events port status change 1379967295.290863061 MS220_8P events port 3 status changed from down to 100fdx
events spanning-tree guard state change 1379970281.577982192 MS220_8P events Port 5 received an STP BPDU from 78:FE:3D:90:7F:43 so the port was blocked
events spanning-tree interface role change 1379970476.195563376 MS220_8P events Port 5 changed STP role from designated to alternate
events spanning-tree interface role change 1379969188.448725072 MS220_8P events Port 1 changed STP role from root to designated
events spanning-tree interface role change 1379970772.184373058 MS220_8P events Port 5 changed STP role from alternate to root
events spanning-tree interface role change 1379972501.619445657 MS220_8P events Port 1 changed STP role from disabled to designated
events blocked DHCP server response 1379988354.643337272 MS220_8P events Blocked DHCP server response from 78:FE:3D:90:7F:48 on VLAN 100
events 802.1x deauthentication 1380653487.002002676 MS220_8P events type=8021x_deauth port='' identity='employee@ikarem.com'
events 802.1x eap success 1380653443.857790533 MS220_8P events type=8021x_eap_success port='' identity='employee@ikarem.com'
events 802.1x authentication 1380653443.868786613 MS220_8P events type=8021x_auth port='3' identity='employee@ikarem.com'
events 802.1x client deauthentication 1380653486.994003049 MS220_8P events type=8021x_client_deauth port='3' identity='employee@ikarem.com'
events Virtual router collision 1379988354.643337272 MS320_24P events Received VRRP packet for virtual router 1 from a.a.a.a on VLAN x with incompatible configuration
events VRRP transition 1379988354.643337272 MS320_24P events changed from VRRP backup to VRRP master because it has not received packets from the master
events Power supply inserted 1379988354.643337272 MS320_24P events Power supply xxxx-xxxx-xxxx was inserted into slot 1
events OSPF future enhancement
events DHCP Server future enhancement

Meraki MR Access Points  

Event type Event description Sample Syslog Message
events 802.11 association 1380653443.857790533 MR18 events type=association radio='0' vap='1' channel='6' rssi='23' aid='1813578850'
events 802.11 disassociation 1380653443.857790533 MR18 events type=disassociation radio='0' vap='1' channel='6' reason='8' instigator='2' duration='11979.728000' auth_neg_dur='1380653443.85779053324000' last_auth_ago='5.074000' is_wpa='1' full_conn='1.597000' ip_resp='1.597000' ip_src='192.168.111.251' arp_resp='1.265000' arp_src='192.168.111.251' dns_server='192.168.111.1' dns_req_rtt='1380653443.85779053335000' dns_resp='1.316000' aid='1813578850'
events WPA authentication 1380653443.857790533 MR18 events type=wpa_auth radio='0' vap='1' aid='1813578850'
events WPA deauthentication 1380653443.857790533 MR18 events type=wpa_deauth radio='0' vap='1' aid='1813578850'
events WPA failed authentication attempt 1380653443.857790533 MR18 events type=disassociation radio='0' vap='3' channel='6' reason='2' instigator='3' duration='6.003000' auth_neg_failed='1' is_wpa='1' aid='113930199'
events 802.1x failed authentication attempt 1380653443.857790533 MR18 events type=8021x_eap_failure radio='0' vap='3' identity='woody8@gmail.com' aid='1701992265'
events 802.1x deauthentication 1380653443.857790533 MR18 events type=8021x_deauth radio='0' vap='3' identity='woody8@gmail.com' aid='1701992265'
events 802.1x authentication 1380653443.857790533 MR18 events type=8021x_eap_success radio='0' vap='3' identity='woody8@gmail.com' aid='1849280097'
events splash authentication 1380653443.857790533 MR18 events type=splash_auth ip='10.87.195.250 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'
events wireless packet flood detected 1380653443.857790533 MR18 events type=device_packet_flood packet='deauth' device='00:18:0A:27:43:80' radio='0' state='start' alarm_id='4' dos_count='25' inter_arrival='10000'
events wireless packet flood end 1380653443.857790533 MR18 events type=device_packet_flood radio='0' state='end' alarm_id='4' reason='left_channel'
events rogue SSID detected airmarshal_events type= rogue_ssid_detected ssid='' bssid='02:18:5A:AE:56:00' src='02:18:5A:AE:56:00' dst='02:18:6A:13:09:D0' wired_mac='00:18:0A:AE:56:00' vlan_id='0' channel='157' rssi='21' fc_type='0' fc_subtype='5'
  SSID spoofing detected airmarshal_events type= ssid_spoofing_detected ssid='t-nebojsa_devel1' vap='2' bssid='02:18:5A:14:04:E2' src='02:18:5A:14:04:E2' dst='FF:FF:FF:FF:FF:FF' channel='48' rssi='39' fc_type='0' fc_subtype='8'
urls HTTP GET requests Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down1380653443.857790533 MR18 urls src=192.168.111.253:50215 dst=204.154.94.81:443 mac=F8:1E:DF:E2:EF:F1 request: UNKNOWN https://www.evernote.com/...
flows flow allowed by Layer 3 firewall 1380653443.857790533 MR18 flows allow src=192.168.111.253 dst=192.168.111.5 mac=F8:1E:DF:E2:EF:F1 protocol=tcp sport=54252 dport=80
flows flow denied by Layer 3 firewall 1380653443.857790533 MR18 flows deny src=10.20.213.144 dst=192.168.111.5 mac=00:F4:B9:78:58:01 protocol=tcp sport=52421 dport=80
You must to post a comment.
Last modified
09:33, 26 Apr 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 5747

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case