Meraki

Johnfnadez · ‎Mar 20 2020

Hi, Merakineers!

I have a huge Meraki Network, wich works in Hub and Spoke through MPLS so, I installed a SIEM to receive logs from all remote sites. But now I´m getting those logs tagged as "URL-UNKNOWN" but I don´t know what it means specifically.

Every IP that u see there is one Gateway from one of the VLANs that I´ve got in the spoke MX.

At the beggining I thought that It was URLs that maybe wouldn´t be categorized by the web filtering, but I´ve go those specific logs where I see a "play.google.com" which is a google URL I found it out in Talos and is recognize as google´s URLs.

meraki siemp.JPG

Best regards,

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA

CN · ‎Mar 21 2020

It is indeed the URLs syslog event type. For unencrypted traffic, the syslog URLs request field will show if it is an HTTP GET vs an HTTP POST, etc. Nowadays pretty much all traffic is encrypted so the MX isn't able to determine what type of request it is so the syslog will report the request as UNKOWN.

If you were to browse to neverssl.com you'll be able to see the difference.

View solution in original post

CN · ‎Mar 21 2020

It is indeed the URLs syslog event type. For unencrypted traffic, the syslog URLs request field will show if it is an HTTP GET vs an HTTP POST, etc. Nowadays pretty much all traffic is encrypted so the MX isn't able to determine what type of request it is so the syslog will report the request as UNKOWN.

If you were to browse to neverssl.com you'll be able to see the difference.

Meraki

Community

Getting Logs in SIEM

Getting Logs in SIEM