Cisco Meraki sample event messages
Use these sample event messages as a way of verifying a successful integration with QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Cisco Meraki sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows an outbound flow event that is used to initiate an IP session. It also shows the source, destination, and port number values along with the firewall rule that they matched.
<134>1 1515988859.626061236 appliance flows src=172.21.84.107 dst=10.52.193.137 mac=5C:E0:C5:22:85:E4 protocol=tcp sport=50395 dport=443 pattern: allow all
QRadar field name | Highlighted payload field name |
---|---|
Event ID | In QRadar, the value is always Outbound Flow Allow for these types of events. |
Source IP | src |
Destination IP | dst |
Destination MAC | mac |
Protocol | protocol |
Source Port | sport |
Destination Port | dport |
Sample 2: The following sample event message shows a security event that is generated when an array out of bounds write attempt is made. It also shows the source, destination, port numbers, destination MAC, and protocol values.
<134>1 1516050030.553653046 cisco.meraki.test security_event ids_alerted signature=1:45148:1priority=1 timestamp=1516050030.236281 dhost=00:00:5E:00:53:BC direction=ingress protocol=tcp/ip src=10.79.70.235:80 dst=172.21.47.130:61019 message: BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt
QRadar field name | Highlighted payload field name |
---|---|
Event ID | signature |
Source IP | src |
Source Port | The value that is used for the Source Port displays after the colon in the src value. For example, 80. |
Destination IP | dst |
Destination Port | The value that is used for the Destination Port displays after the colon in the dst value. For example, 61019. |
Destination MAC | dhost |
Protocol | protocol |