Meraki

Community

Meraki Syslog data for SSID events? Going into Sumologic

ds2020
Here to help
‎Sep 11 2020 9:13 AM
‎Sep 11 2020 9:13 AM

Meraki Syslog data for SSID events? Going into Sumologic

Hi All;

In Sumologic I setup the below app to get Meraki events 

ds2020_0-1599839016515.png

 

In Meraki the syslog server includes the below roles which populate the above dashboards. So far so good!

ds2020_1-1599839080532.png

I need to create a new dashboard that shows on which SSID a client connected given a specific network or AP, or even better provide network and AP information as part of the results from the query. 

 

The use case that I have is to identify corporate client devices that are unintentionally connecting to the guest wireless ssid or non-corporate client devices connecting to the prod wireless network. To achieve this I need to know under what event type these client device connections are logged under.

 

Based on feedback from Sumologic support the event types that are going into Sumologic are shown below

 

The results came back with:

  • 8021x_auth
  • 8021x_client_deauth
  • 8021x_deauth 
  • 8021x_eap_failure
  • 8021x_eap_success 
  • 8021x_radius_timeout 
  • association
  • association_reject 
  • cli_set_rad_okc_parms 
  • cli_set_rad_parms
  • cli_set_rad_pmksa_parms
  • dfs_event
  • disassociation
  • multiple_dhcp_servers_detected
  • radius_mac_auth
  • route_connection_change
  • vpn_connectivity_change
  • wpa_auth
  • wpa_deauth

 

None of those event types though have info on AP, SSID's, or hostnames. 

However, running an API call against https://api.meraki.com/api/v1/organizations/{orgID}/networks/{netID}/clients/?perPage=1000&ssidNumbe...

gets me the below info which is what i need to create my dashboard. Is the below information captured in the syslog? and if it is under what event type can i find it?

2020-09-11_12-07-45.jpg

 

Thanks in advance!

0 Kudos
3 Replies 3
ds2020
Here to help
‎Sep 18 2020 11:09 AM
‎Sep 18 2020 11:09 AM

Any help on this please?

0 Kudos
In response to ds2020
cmr
Kind of a big deal
Kind of a big deal
‎Sep 18 2020 11:59 PM
‎Sep 18 2020 11:59 PM

@ds2020 you seem to have everything enabled and if the SIEM solution isn't seeing the events you want, they aren't being sent.  The best option is to get Sumologic to integrate with the Meraki API, but if that isn't an option then you can create a python script to regularly pull the data down via the API and put it in a file.  The SIEM solution should then be able to parse the files.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
ds2020
Here to help
‎Sep 21 2020 6:25 AM
‎Sep 21 2020 6:25 AM

@cmr thanks for the reply! What you suggested is actually one of the first things we tried. However, this would require maintaining scripts, file integrity etc and in my opinion would require to much effort to support long term vs Meraki adding the SSID event info to the syslog data. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.