Meraki

Community

Getting Logs in SIEM

Solved
Johnfnadez
Building a reputation
‎Mar 20 2020 1:04 PM
‎Mar 20 2020 1:04 PM

Getting Logs in SIEM

Hi, Merakineers!

 

I have a huge Meraki Network, wich works in Hub and Spoke through MPLS so, I installed a SIEM to receive logs from all remote sites. But now I´m getting those logs tagged as "URL-UNKNOWN" but I don´t know what it means specifically.

Johnfnadez_0-1584734037958.png

Every IP that u see there is one Gateway from one of the VLANs that I´ve got in the spoke MX.

 

At the beggining I thought that It was URLs that maybe wouldn´t be categorized by the web filtering, but I´ve go those specific logs where I see a "play.google.com" which is a google URL I found it out in Talos and is recognize as google´s URLs.

 
 
 
 
 
 
 
 

meraki siemp.JPG

 

 

Best regards,

 

 

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
0 Kudos
1 Accepted Solution
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 21 2020 12:27 PM
‎Mar 21 2020 12:27 PM

It is indeed the URLs syslog event type. For unencrypted traffic, the syslog URLs request field will show if it is an HTTP GET vs an HTTP POST, etc. Nowadays pretty much all traffic is encrypted so the MX isn't able to determine what type of request it is so the syslog will report the request as UNKOWN.

 

If you were to browse to neverssl.com you'll be able to see the difference. 

View solution in original post

1 Reply 1
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 21 2020 12:27 PM
‎Mar 21 2020 12:27 PM

It is indeed the URLs syslog event type. For unencrypted traffic, the syslog URLs request field will show if it is an HTTP GET vs an HTTP POST, etc. Nowadays pretty much all traffic is encrypted so the MX isn't able to determine what type of request it is so the syslog will report the request as UNKOWN.

 

If you were to browse to neverssl.com you'll be able to see the difference. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.