Skip to main content

Cisco Meraki

thumbnail icon

The Cisco Meraki app provides a single-pane-of-glass for monitoring and troubleshooting network security, end-to-end performance, switch port management, and device management of your Cisco Meraki wireless infrastructure management platform.

Log Types

The Cisco Meraki App is dependent on the following logs:

  • flows
  • urls
  • events
  • security_events
  • air_marshal_events

For more information on log types, see these topics in Cisco Meraki documentation:

Sample Log Messages

security_event log sample
<134>1 1563249630.774247467 remote_DC1_appliance security_event ids_alerted signature=1:41944:2 priority=1 timestamp=TIMESTAMPEPOCH.647461
dhost=74:86:7A:D9:D7:AA direction=ingress protocol=tcp/ip src= dst= message: BROWSER-IE
Microsoft Edge scripting engine security bypass css attempt

2019-07-16 04:00:30 Local0.Info 1 1561036264.565291108 australia_sydney security_event security_filtering_file_scanned
P2=402&amp;P3=2&amp;P4=Zj3qRDR5CbzfWlP8BuYg%2bUlTon0XE774ExEEquiawstLAJ2%2bQm3OoWLcwz3HBt8qp3r3buVRVoT5BQcUCcNlXw%3d%3d src=
dst= mac=20:1C:BC:B2:0F:20 name='' sha256=093e4fc218b27e58e2fede7b8cb044d48d66995ae785bbc186a9df5ae08ca4f7
disposition=malicious action=block
urls log sample
<134>1 1563249910.949155659 AP_firstfloor urls src= dst= mac=13:0C:AC:B2:0F:11
agent='Spotify/110600113 OSX/0 (MacBookAir7,2)' request: GET

<134>1 1563261310.844330465 india_headoffice1 urls src= dst= mac=13:0C:AC:B2:0F:11
request: UNKNOWN
flows log sample
<134>1 1563246850.048798929 Head_office_Appliance flows allow src= dst= mac=E8:E8:B7:35:4A:C2
protocol=udp sport=33787 dport=35

<134>1 1563262452.817053535 Reception_Bad_ flows deny src= dst= mac=19:EC:C5:7A:B2:2D protocol=tcp
sport=61822 dport=8080
air_marshal log sample
<134>1 1563262058.692773343 AP_secondfloor airmarshal_events type=ssid_spoofing_detected ssid='Sumo-Guest' vap='10'
bssid='9A:69:66:99:66:9A' src='64:92:49:26:99:64' dst='00:00:48:04:00:1F' channel='36' rssi='32' fc_type='0' fc_subtype='8'

<134>1 1563260410.364008273 AP_firstfloor airmarshal_events type=rogue_ssid_detected ssid='Library' bssid='B2:60:F1:71:81:FD'
src='B2:60:F1:71:81:FD' dst='FF:FF:FF:FF:FF:FF' wired_mac='90:60:FF:71:81:FD' vlan_id='0' channel='2' rssi='55' fc_type='0'
event log sample
2019-07-16 05:00:10 Local0.Info 1 1563253210.652261509 Head_office_Appliance events type=vpn_registry_change
vpn_type='site-to-site' connectivity='true'

2019-07-16 05:00:10 Local0.Info 1 1563253210.025977456 main_branch_appliance events type=vpn_connectivity_change
vpn_type='site-to-site' peer_contact='' peer_ident='449bc8f664862e11df74de400df333df' connectivity='false'

2019-07-16 07:27:37 Local0.Info 1 1563262057.262021278 HQ_Switch1 events Power supply Q2AS-95FW-7776 was inserted
into slot 1

Sample Query

The following query is from the High Severity Threats panel of the Cisco Meraki - Overview dashboard.

_sourceCategory=*meraki* "security_event"
| parse regex " (?<name>\S*?)\s(?<msg_type>urls|flows|events|ids-alerts|security_event|airmarshal_events?)\s+"
| parse "security_event * signature=* priority=* timestamp=* dhost=* direction=* protocol=* src=*:* dst=*:* message: *" as type, signature, priority, timestamp, dhost, direction, protocol, src_ip, src_port, dest_ip, dest_port, msg nodrop
| parse "security_event * name='*' sha256=* disposition=* action=*" as type, name2, sha256, disposition, action nodrop
| parse "security_event * url=* src=*:* dst=*:* mac=* name='*' sha256=* disposition=* action=*" as type, url, src_ip, src_port, dest_ip, dest_port, mac, name2, sha256, disposition, action nodrop
| where priority="1" and msg_type="security_event"
| if (priority="1", "High", if (priority="2", "medium", if (priority="3", "Low", if (priority="4", "Very Low", priority)))) as priority
| count as threatCount

Collecting logs for the Cisco Meraki App

This section provides instructions for configuring log collection for the Cisco Meraki App, as well as log and query examples.

Configure Log Collection

In this task, you configure an installed collector with a Syslog source that acts as a Syslog server to receive logs and events from Cisco Meraki.

  1. Configure an Installed Collector.
  2. Add a Syslog source to the installed collector:
    • Name. (Required) A name is required.
    • Description. Optional.
    • Protocol. UDP or TCP. Choose the protocol you configured in Cisco Meraki for Syslog forwarding.
    • Port. Port number. Choose the port you configured in Cisco Meraki for Syslog forwarding.
    • Source Category. (Required) Provide a realistic Source Category for this data type. For example: prod/ciscomeraki. For more information, see Best Practices.
  3. Click Save.

Configure Log Forwarding

On the Cisco Meraki platform, you can configure the export of syslog events under Network-wide > General > Reporting > Syslog Servers. The following task is an example of how to configure forwarding for syslog IDS/IPS events.

To configure forwarding for syslog IDS/IPS events, do the following:

  1. On the Cisco Meraki platform, navigate to Network-wide > General > Reporting.
  2. Add the IDS alerts syslog role.

For more information on configuring log forwarding from Cisco Meraki, see the Cisco Meraki documentation.

Installing the Cisco Meraki App

This section provides instructions on how to install the Cisco Meraki App. The App's pre-configured searches and dashboards provide easy-to-access visual insights into your data.

To install the app:

  1. From the Sumo Logic nav, select App Catalog.
  2. Search for and select your app.
  3. (Optional) To see a preview of the dashboards included with the app, scroll down to the Dashboard Preview section.
  4. If the app has multiple versions - not all apps do - select the version of the service you're using, then click Add Integration.
  5. On the next configuration page, under Select Data Source for your App, complete the following fields:
    • Data Source. Select one of the following options:
      • Choose Source Category and select a source category from the list; or
      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example, _sourceCategory=MyCategory.
    • Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
    • All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
  6. Click Next.
  7. You'll see a dialog confirming that the app was installed successfully.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't be available immediately, but within 20 minutes, you'll see full graphs and maps.

View Cisco Meraki Dashboards

Each dashboard has a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.

You can use filters to drill down and examine the data on a granular level.

Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.


The Cisco Meraki - Overview dashboard provides a high-level view of high severity threats, port scan attacks, HTTP requests, and Air Marshall events in your environment. Panels also display overviews for message types and trends, as well as device names and trends.

Use this dashboard to:

  • Monitor the number high severity threats and scan attacks.
  • Identify trends across messages and appliance names.
Cisco Meraki dashboards

Security Threats

The Cisco Meraki - Security Threats dashboard provides a high-level view of events, event priority and type, security threat event trends, and hosts that have been impacted. The panels also show detailed information on IDS signatures that were matched, malicious files that were blocked, and files that were deemed malicious after further investigation.

Use this dashboard to:

  • Determine the hosts or systems impacted by various threats and intrusion activities that have been identified and resolved.
  • Monitor files that are blocked by anti-malware protection from various sources and destinations, to understand where the threats are coming from.
  • Identify the most prevalent threats that could have a high impact on your environment.
  • Monitor when, where, and what actions are taken with configured policies in your environment and optimize your policies accordingly.
Cisco Meraki dashboards

URLs Overview

The Cisco Meraki - URLs Overview dashboard provides a high-level view of requests made, destination locations, and threats by URLs. The panels also display information on mac addresses, methods, OS platforms used, the top requested URLs and destination ports. Graphs for outlier trends and comparison graphs provide insights that enable proactive troubleshooting and root cause resolution.

Use this dashboard to:

  • Monitor the load on your network by looking at the rate of all requests and rates based on specific types of HTTP methods. This allows you to anticipate resource needs and allocate them accordingly.
  • Monitor request trends and outliers in requests.
  • Identify how you are acquiring devices with MAC Address outliers or client IP addresses, and compare this data with positive and negative outliers.
  • Monitor destination IP address outliers to check for sudden changes in user behavior and destination location traffic.
  • Monitor destinations visited by users of your network.
Cisco Meraki dashboards

URLs Content and Client Platform

The Cisco Meraki - URLs Content and Client Platform dashboard provides information on the top media types that are requested in your environment, trends on media types that are requested over time, and the top requested URLs. The panels also display information on the OS platforms used, the browsers used on the various operating systems, and the platform versions used.

Use this dashboard to:

  • Monitor operating systems (OS) for desktop and mobile devices, as well as browser information available in user agents, to understand how IT should best support your users.
  • Determine which sites, pages, and file types are the most popular with your users, and develop policies accordingly.
Cisco Meraki dashboards

URLs Threat Intel

The Cisco Meraki - URLs Threat Intel dashboard provides a high-level view of the number of threats, their geographic locations, threats by actor, the malicious confidence, and details on IP destinations. The panels also show the number of threats by URL, their geographic locations, threats by actor, the malicious confidence, and the details on the URL threats.

Use this dashboard to:

  • Identify and remediate potential threats and indicators of compromises to your network.
  • Monitor whether users are accessing web pages or destination IP addresses that have been tagged as malicious by Sumo Logic Threat Intel.
Cisco Meraki dashboards

Flows Overview

The Cisco Meraki - Flows Overview dashboard provides a high-level view of traffic sources, destinations, protocols, and traffic action time comparisons. The panels also show detailed information on the top source IPs, destination ports, and possible port scan attacks for both allowed and denied traffic.

Use this dashboard to:

  • Monitor network traffic that’s been allowed and rejected.
  • Monitor the activity of TCP and UDP ports to identify possible port scan attacks, both horizontal and vertical.
Cisco Meraki dashboards

Flows Allowed and Rejected

The Cisco Meraki - Flows Allowed and Rejected dashboard provides a high-level view of the geographic locations and outlier graphs for allowed and denied traffic. Panels also show allowed and denied insecure traffic by protocol, allowed insecure traffic by application and host, allowed network activity on unencrypted ports, and a graph of flows by pattern.

Use this dashboard to:

  • Detect sudden changes in allowed or rejected traffic in the outlier panels.
  • Identify systems and hosts involved in insecure data transit over insecure connections and port protocols like ftp, telnet, http, and rlogin. You can also identify successful and rejected network connections for insecure connections.
Cisco Meraki dashboards


The Cisco Meraki - Events dashboard provides a high-level view of events for MR access points, MX security appliances, and MS switches. Panels display information on the number of events, event types, Air Marshall events, connectivity, client DHCP events, and trend graphs of events over time.

Use this dashboard to:

  • Monitor access point activities, such as association, disassociation, authentication, deauthentication, packet floods, rogue SSIDs, and SSID Spoofing activities. For details, see the following Cisco Meraki documentation.
  • Monitor VPN connectivity and uplink connectivity changes, as well as client DHCP lease details with MX Security Appliances. For details, see Cisco Meraki documentation.
  • Monitor switching events from Meraki MS Switches. For details, see Cisco Meraki documentation.
Cisco Meraki dashboards
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.