We have our Meraki’s set up with an API connection and Syslog. However with our syslog logs, for asset and user, it shows “unknown”. Rapid7 support mentioned that there was a similar issue in Cisco ASA logs but there was a setting to hide/show that data in the ASA config.
Does anyone know if there are similar settings in Meraki?
Hi,
we would need to see the example logs to comment further, I’d recommend a support case so that we can do a deeper dive.
David
I had a support case open. The logs are flowing. It seems like a Meraki setting that is “hiding” that information.
I was hoping to find someone else who deals with Meraki and could shed some light.
In the below image, you can see the asset and user show as unknown. Apparently, there is a toggle in the Cisco ASA config for syslog export that “hides” that data. There doesn’t seem to be a toggle in Meraki.
In order for us to attribute data to an asset, the default behavior is to take the source_ip and perform a lookup for the IP to map it to a hostname.
If the IP (which you have appropriately obfuscated with some fine art work) is a private IP, we would expect to be able to find a corresponding hostname that it maps to.
You can look for IP->Hostname mappings either via log search, under the Host to IP Observations log set by searching for any given IP. Or alternatively you can use the top search box within IDR to search for an IP and pull up the IP history page.
If an IP is a public IP however we will not map it to a hostname, this is expected behavior.
There is another element to the Cisco Meraki event source attribution method however, and that is where we will extract user and asset information right out of the source log itself.
In order to manipulate IDRs default behavior of IP->Hostname->Primary User logic you can switch the attribution setting as shown here
By switching to Use Event Log if possible, the default behavior is to check for a User/Asset in the source_data. And then try to find that user in IDR (they must exist and be tied to a domain) as well as attempt to find the asset which also must exist in IDR.
Now what I’m not sure is whether or not this information is available in your logs, if you drop the support case number in here I can take a look
Thanks for the info. I believe all of the logs I see are Public IPs, which means the unknown/unknown makes sense. For some reason, we don’t seem to see the same logs for internal sources (a PC browsing out to the internet for example).
I will check on my attribution source setting.
Not sure if this is related to what you’re seeing. My understanding is that by default, ASA logs show the account name in failed logins as “****”. The actual account name is displayed for successful logins. There is a setting in ASA config that does control whether failed logins show the account name attempted.
From Cisco docs
Error Message %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr
Explanation The AAA authentication on a connection has failed. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured."