{"id":260,"date":"2025-02-28T17:12:00","date_gmt":"2025-02-28T16:12:00","guid":{"rendered":"https:\/\/digitalmaterial.ch\/blog\/?p=260"},"modified":"2025-02-28T17:33:02","modified_gmt":"2025-02-28T16:33:02","slug":"cisco-meraki-collect-snmp-trap-data-with-azure-monitor-agent","status":"publish","type":"post","link":"https:\/\/digitalmaterial.ch\/blog\/cisco-meraki-collect-snmp-trap-data-with-azure-monitor-agent\/","title":{"rendered":"Cisco Meraki &#8211; Collect SNMP trap data with Azure Monitor Agent"},"content":{"rendered":"\n<p>Since it\u2019s recommended to have a break-glass admin account in case of SAML authentication failures or other account issues, a security concern arises. Break-glass admin logins might go unnoticed, as there\u2019s no native feature to send login alerts for specific accounts. The solution isn\u2019t straightforward, as Cisco Meraki only allows login attempts to be sent via SNMP traps.<\/p>\n\n\n\n<p>To process the SNMP messages, we&#8217;re using a few services:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rad Hat Enterprise Linux VM<\/li>\n\n\n\n<li>Azure Monitor Agent<\/li>\n\n\n\n<li>Log Analytics Workspace<\/li>\n<\/ul>\n\n\n\n<p>The message and processing flow are visualized below. Whenever a Meraki Dashboard user (non-SAML) logs in, an SNMP message is sent to the RHEL VM. Since the Azure Monitor Agent cannot natively process SNMP, we configure the trap service to write the message to syslog. The Monitor Agent reads the syslog at intervals and sends the data to a Log Analytics workspace. A KQL query is then used to check for logins within a specified timeframe.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"346\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/snmptrapflowchart.drawio-2-1024x346.png\" alt=\"\" class=\"wp-image-477\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/snmptrapflowchart.drawio-2-1024x346.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/snmptrapflowchart.drawio-2-300x101.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/snmptrapflowchart.drawio-2-768x259.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/snmptrapflowchart.drawio-2.png 1042w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">VM to capture SNMP<\/h1>\n\n\n\n<p>Go to your Azure Portal and create a new VM, preferably RHEL 8 or 9, as this guide has only been tested on these operating systems. The VM size &#171;B1ms&#187; should be sufficient. Once the VM is created, SSH into it. Use a private IP and access it through another host or VPN; publicly exposing port 22 on your VM is not recommended.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">PowerShell<\/span><span role=\"button\" tabindex=\"0\" data-code=\"ssh -i path-to-private-key azureuser@ipaddress\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">ssh -i path-to-private-key azureuser<\/span><span style=\"color: #9CDCFE\">@ipaddress<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Once connected, install the SNMP agent and enable the snmptrapd service:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"#Install the SNMP agent\nsudo yum install net-snmp\n#Enable the service\nsudo systemctl enable snmptrapd\n#Allow UDP 162 through the firewall\nsudo firewall-cmd --zone=public --add-port=162\/udp\nsudo firewall-cmd --zone=public --add-port=162\/udp --permanent\nsudo firewall-cmd --reload\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6A9955\">#Install the SNMP agent<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">yum<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">install<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">net-snmp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">#Enable the service<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">systemctl<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">enable<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">snmptrapd<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">#Allow UDP 162 through the firewall<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">firewall-cmd<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">--zone=public<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">--add-port=162\/udp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">firewall-cmd<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">--zone=public<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">--add-port=162\/udp<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">--permanent<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">firewall-cmd<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">--reload<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Download the Meraki MIB file for SNMP, copy it to the appropriate location, set the correct permissions, and adjust the SELinux context of the file. Without these steps, the <strong>snmptrapd<\/strong> service will not be able to read the file.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"curl -L -o MERAKI-CLOUD-CONTROLLER-MIB.txt https:\/\/n201.meraki.com\/resources\/MERAKI-CLOUD-CONTROLLER-MIB.mib\nsudo mv MERAKI-CLOUD-CONTROLLER-MIB.txt \/usr\/share\/snmp\/mibs\/\nsudo chmod 644 \/usr\/share\/snmp\/mibs\/MERAKI-CLOUD-CONTROLLER-MIB.txt\nsudo semanage fcontext -a -t snmpd_var_lib_t &quot;\/usr\/share\/snmp\/mibs\/meraki-MIB.txt&quot;\nsudo restorecon -v \/usr\/share\/snmp\/mibs\/MERAKI-CLOUD-CONTROLLER-MIB.txt\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">curl<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-L<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-o<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">MERAKI-CLOUD-CONTROLLER-MIB.txt<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">https:\/\/n201.meraki.com\/resources\/MERAKI-CLOUD-CONTROLLER-MIB.mib<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">mv<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">MERAKI-CLOUD-CONTROLLER-MIB.txt<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">\/usr\/share\/snmp\/mibs\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">chmod<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">644<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">\/usr\/share\/snmp\/mibs\/MERAKI-CLOUD-CONTROLLER-MIB.txt<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">semanage<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">fcontext<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-a<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-t<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">snmpd_var_lib_t<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">&quot;\/usr\/share\/snmp\/mibs\/meraki-MIB.txt&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">restorecon<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-v<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">\/usr\/share\/snmp\/mibs\/MERAKI-CLOUD-CONTROLLER-MIB.txt<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>To gather the engine ID from the meraki cloud use the following command.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"sudo snmptrapd -f -Dlcd_set_enginetime -Lo\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">snmptrapd<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-f<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-Dlcd_set_enginetime<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-Lo<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Try sending a test message to your trap from the Meraki dashboard. Navigate to <strong>Organization -&gt; Login Attempts -&gt; Configure<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"738\" height=\"609\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-15.png\" alt=\"\" class=\"wp-image-607\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-15.png 738w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-15-300x248.png 300w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/figure>\n\n\n\n<p>Back on your RHEL VM you should see the ID displayed after you send the test trap:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"NET-SNMP version 5.8\nlcd_set_enginetime: engineID 00 00 00 00 00 00 00 00 00 00 00 : boots=0, time=0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">NET-SNMP<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">version<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">5.8<\/span><\/span>\n<span class=\"line\"><span style=\"color: #DCDCAA\">lcd_set_enginetime:<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">engineID<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">00<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">:<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">boots=<\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #CE9178\">,<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">time=<\/span><span style=\"color: #B5CEA8\">0<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Afterwards, change the snmptrapd.conf file to only allow SNMPv3 and create the user needed to connect.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"sudo vi \/etc\/snmp\/snmptrapd.conf\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">vi<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">\/etc\/snmp\/snmptrapd.conf<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>To add content in the file, press &#171;i&#187; to insert. To exit and save, press &#171;ESC&#187; and type &#171;:wq&#187;. Change the engine ID, username and password. Be sure to add &#171;0x&#187; in front of the engine ID. Details regarding SNMP trap: <a href=\"https:\/\/net-snmp.sourceforge.io\/wiki\/index.php\/TUT:snmptrap_SNMPv3\">TUT:snmptrap SNMPv3 &#8211; Net-SNMP Wiki<\/a><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"\t# authCommunity log,execute,net public\n\tcreateUser -e 0xYOURENGINEIDHERE yourusernamehere SHA yourpasswordhere AES yourpasswordhere\n\tauthUser log,execute,net merakisnmp\n\t# Format logs for collection by Azure Monitor Agent\n\tformat2 snmptrap %a %B %y\/%m\/%l %h:%j:%k %N %W %q %T %W %v \\n\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">\t<\/span><span style=\"color: #6A9955\"># authCommunity log,execute,net public<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">\t<\/span><span style=\"color: #DCDCAA\">createUser<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-e<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #CE9178\">xYOURENGINEIDHERE<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">yourusernamehere<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">SHA<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">yourpasswordhere<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">AES<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">yourpasswordhere<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">\t<\/span><span style=\"color: #DCDCAA\">authUser<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">log,execute,net<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">merakisnmp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">\t<\/span><span style=\"color: #6A9955\"># Format logs for collection by Azure Monitor Agent<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">\t<\/span><span style=\"color: #DCDCAA\">format2<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">snmptrap<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%a<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%B<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%y\/%m\/%l<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%h:%j:%k<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%N<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%W<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%q<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%T<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%W<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">%v<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #D7BA7D\">\\n<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Configure the trap receiver to send data to syslog.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"sudo vi \/etc\/sysconfig\/snmptrapd\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">vi<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">\/etc\/sysconfig\/snmptrapd<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Change the file&#8217;s content to.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"OPTIONS=&quot;-m ALL -Ls2&quot;\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #9CDCFE\">OPTIONS<\/span><span style=\"color: #D4D4D4\">=<\/span><span style=\"color: #CE9178\">&quot;-m ALL -Ls2&quot;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>To get the services status you can use systemctl, if need you can also user start, stop or restart instead of status.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"sudo systemctl status snmptrapd\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">sudo<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">systemctl<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">status<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">snmptrapd<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>To show a live tail of the snmptrapd log messages, use the following command.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" data-code=\"journalctl -u snmptrapd -f\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">journalctl<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-u<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">snmptrapd<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">-f<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>If the service is running and you see no errors, you can start with the azure monitor agent and log analytics workspace deployment. <\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Configure automatic Alerting<\/h1>\n\n\n\n<p>There are two options on how to receive alerts, either use Azure Monitor Alerts or if you already have Azure Sentinel, you can just add an analytics rule. Either way, the same KQL query can be used to filter for sign ins. If you don&#8217;t have Azure Sentinel proceed with <strong>Processing and collecting logs through LAW<\/strong> otherwise skip this section and head to the next section <strong>Processing and collecting logs through Sentinel<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Processing and collecting logs through LAW<\/h2>\n\n\n\n<p>Deploy a new log analytics workspace and create a new data collection rule.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"820\" height=\"461\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-15.png\" alt=\"\" class=\"wp-image-482\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-15.png 820w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-15-300x169.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-15-768x432.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><\/figure>\n\n\n\n<p>Add the VM as a resource.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"320\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-16-1024x320.png\" alt=\"\" class=\"wp-image-483\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-16-1024x320.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-16-300x94.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-16-768x240.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-16.png 1422w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Create a new endpoint.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"560\" height=\"384\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-17.png\" alt=\"\" class=\"wp-image-484\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-17.png 560w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-17-300x206.png 300w\" sizes=\"auto, (max-width: 560px) 100vw, 560px\" \/><\/figure>\n\n\n\n<p>Click on the endpoint checkbox and then select the endpoint you&#8217;ve just created.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"312\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-18-1024x312.png\" alt=\"\" class=\"wp-image-485\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-18-1024x312.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-18-300x92.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-18-768x234.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-18.png 1459w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>On the next tab, add the datasource, deselect everything except <strong>LOG_LOCAL2<\/strong> with the minimum log level set to <strong>LOG_INFO<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"475\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-19-1024x475.png\" alt=\"\" class=\"wp-image-486\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-19-1024x475.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-19-300x139.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-19-768x356.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/01\/image-19.png 1339w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Create the data collection rule and test the collection by logging in with a non SAML meraki dashboard user. There should be a new syslog entry in the logs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"503\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-29-1024x503.png\" alt=\"\" class=\"wp-image-629\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-29-1024x503.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-29-300x147.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-29-768x377.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-29-1536x754.png 1536w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-29.png 2023w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Head over to the <strong>alerts<\/strong> tab in your log analytics workspace to create a custom alert.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"459\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-26-1024x459.png\" alt=\"\" class=\"wp-image-626\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-26-1024x459.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-26-300x134.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-26-768x344.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-26.png 1469w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Use the <strong>custom log search<\/strong> with the following query to look up logins and parse the SNMP message. Make sure to modify the query to match your <strong><a>USERNAME@DOMAIN.TLD<\/a><\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">Kusto<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Syslog\n| where SyslogMessage has &quot;USERNAME@DOMAIN.TLD&quot;\n| parse  SyslogMessage with *\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::organizationName.0 = STRING: &quot; organizationName: string\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::networkName&quot; *\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::loginEmail = STRING: &quot; loginEmail: string\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::loginResult = STRING: &quot; loginResult: string\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::loginDescription = STRING: &quot; loginDescRaw: string\n| extend organizationName = trim(&quot;#011&quot;, organizationName) \n\/\/ Convert the loginDescription string into dynamic JSON\n| extend loginJson = parse_json(loginDescRaw)\n\/\/ Filter only where login is success\n| where loginJson.success == true\n\/\/ Choose what fields to return\n| project TimeGenerated,\n          organizationName,\n          Email         = tostring(loginJson.email),\n          IP            = tostring(loginJson.ip),\n          Location      = tostring(loginJson.location),\n          AuthType      = tostring(loginJson.auth_type),\n          LoggedInAt    = tostring(loginJson.logged_in_at),\n          Success       = tobool(loginJson.success)\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">Syslog<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">where<\/span><span style=\"color: #D4D4D4\"> SyslogMessage <\/span><span style=\"color: #C586C0\">has<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">&quot;USERNAME@DOMAIN.TLD&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">parse<\/span><span style=\"color: #D4D4D4\">  SyslogMessage <\/span><span style=\"color: #C586C0\">with<\/span><span style=\"color: #D4D4D4\"> *<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::organizationName.0 = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> organizationName: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::networkName&quot;<\/span><span style=\"color: #D4D4D4\"> *<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::loginEmail = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> loginEmail: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::loginResult = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> loginResult: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::loginDescription = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> loginDescRaw: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">extend<\/span><span style=\"color: #D4D4D4\"> organizationName = <\/span><span style=\"color: #DCDCAA\">trim<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;#011&quot;<\/span><span style=\"color: #D4D4D4\">, organizationName) <\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">\/\/ Convert the loginDescription string into dynamic JSON<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">extend<\/span><span style=\"color: #D4D4D4\"> loginJson = <\/span><span style=\"color: #F44747\">parse_json<\/span><span style=\"color: #D4D4D4\">(loginDescRaw)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">\/\/ Filter only where login is success<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">where<\/span><span style=\"color: #D4D4D4\"> loginJson.success == <\/span><span style=\"color: #569CD6\">true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">\/\/ Choose what fields to return<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">project<\/span><span style=\"color: #D4D4D4\"> TimeGenerated,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          organizationName,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          Email         = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.email),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          IP            = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.ip),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          Location      = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.location),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          AuthType      = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.auth_type),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          LoggedInAt    = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.logged_in_at),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          Success       = <\/span><span style=\"color: #DCDCAA\">tobool<\/span><span style=\"color: #D4D4D4\">(loginJson.success)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>The measurement and alert logic can be configured to your preference. Running this every 15 minutes will cost approximately $0.50 per month.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-32-1024x683.png\" alt=\"\" class=\"wp-image-632\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-32-1024x683.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-32-300x200.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-32-768x512.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-32.png 1073w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Finish the custom alert rule by adding an action and specifying the necessary details. Depending on your action you will receive an alert if the break glass admin query has more than one result.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Processing and collecting logs through Sentinel<\/h2>\n\n\n\n<p>Open the Sentinel connectors and add &#171;Syslog via AMA&#187;. Once added, navigate to the connector page.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"556\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-24-1024x556.png\" alt=\"\" class=\"wp-image-623\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-24-1024x556.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-24-300x163.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-24-768x417.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-24-1536x835.png 1536w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-24-2048x1113.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Create a new data collection rule.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"260\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-21-1024x260.png\" alt=\"\" class=\"wp-image-620\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-21-1024x260.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-21-300x76.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-21-768x195.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-21-1536x390.png 1536w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-21.png 1760w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Select your SNMP VM and collect the LOG_LOCAL2. This is the equivalent of what we&#8217;ve configured with OPTIONS=&#187;-m ALL -Ls2&#8243; in the path \/etc\/sysconfig\/snmptrapd.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"906\" height=\"1024\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-22-906x1024.png\" alt=\"\" class=\"wp-image-621\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-22-906x1024.png 906w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-22-266x300.png 266w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-22-768x868.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-22.png 1040w\" sizes=\"auto, (max-width: 906px) 100vw, 906px\" \/><\/figure>\n\n\n\n<p>Test the collection by logging in with a non SAML meraki dashboard user. There should be a new syslog entry in the sentinel logs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"457\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-28-1024x457.png\" alt=\"\" class=\"wp-image-628\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-28-1024x457.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-28-300x134.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-28-768x342.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-28-1536x685.png 1536w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-28-2048x913.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>If everything looks correct, head over to the analytic rules and create a new one.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"854\" height=\"895\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-30.png\" alt=\"\" class=\"wp-image-630\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-30.png 854w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-30-286x300.png 286w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-30-768x805.png 768w\" sizes=\"auto, (max-width: 854px) 100vw, 854px\" \/><\/figure>\n\n\n\n<p>In the rule logic tab use the this query to gather the logins for your break glass admin be sure to change the query regarding your USERNAME@DOMAIN.TLD.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"656\" height=\"1024\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-31-656x1024.png\" alt=\"\" class=\"wp-image-631\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-31-656x1024.png 656w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-31-192x300.png 192w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-31-768x1200.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-31-983x1536.png 983w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-31.png 1253w\" sizes=\"auto, (max-width: 656px) 100vw, 656px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">Kusto<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Syslog\n| where SyslogMessage has &quot;USERNAME@DOMAIN.TLD&quot;\n| parse  SyslogMessage with *\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::organizationName.0 = STRING: &quot; organizationName: string\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::networkName&quot; *\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::loginEmail = STRING: &quot; loginEmail: string\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::loginResult = STRING: &quot; loginResult: string\n        &quot;MERAKI-CLOUD-CONTROLLER-MIB::loginDescription = STRING: &quot; loginDescRaw: string\n| extend organizationName = trim(&quot;#011&quot;, organizationName) \n\/\/ Convert the loginDescription string into dynamic JSON\n| extend loginJson = parse_json(loginDescRaw)\n\/\/ Filter only where login is success\n| where loginJson.success == true\n\/\/ Choose what fields to return\n| project TimeGenerated,\n          organizationName,\n          Email         = tostring(loginJson.email),\n          IP            = tostring(loginJson.ip),\n          Location      = tostring(loginJson.location),\n          AuthType      = tostring(loginJson.auth_type),\n          LoggedInAt    = tostring(loginJson.logged_in_at),\n          Success       = tobool(loginJson.success)\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">Syslog<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">where<\/span><span style=\"color: #D4D4D4\"> SyslogMessage <\/span><span style=\"color: #C586C0\">has<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">&quot;USERNAME@DOMAIN.TLD&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">parse<\/span><span style=\"color: #D4D4D4\">  SyslogMessage <\/span><span style=\"color: #C586C0\">with<\/span><span style=\"color: #D4D4D4\"> *<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::organizationName.0 = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> organizationName: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::networkName&quot;<\/span><span style=\"color: #D4D4D4\"> *<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::loginEmail = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> loginEmail: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::loginResult = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> loginResult: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #CE9178\">&quot;MERAKI-CLOUD-CONTROLLER-MIB::loginDescription = STRING: &quot;<\/span><span style=\"color: #D4D4D4\"> loginDescRaw: <\/span><span style=\"color: #569CD6\">string<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">extend<\/span><span style=\"color: #D4D4D4\"> organizationName = <\/span><span style=\"color: #DCDCAA\">trim<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;#011&quot;<\/span><span style=\"color: #D4D4D4\">, organizationName) <\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">\/\/ Convert the loginDescription string into dynamic JSON<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">extend<\/span><span style=\"color: #D4D4D4\"> loginJson = <\/span><span style=\"color: #F44747\">parse_json<\/span><span style=\"color: #D4D4D4\">(loginDescRaw)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">\/\/ Filter only where login is success<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">where<\/span><span style=\"color: #D4D4D4\"> loginJson.success == <\/span><span style=\"color: #569CD6\">true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">\/\/ Choose what fields to return<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">| <\/span><span style=\"color: #569CD6\">project<\/span><span style=\"color: #D4D4D4\"> TimeGenerated,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          organizationName,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          Email         = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.email),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          IP            = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.ip),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          Location      = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.location),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          AuthType      = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.auth_type),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          LoggedInAt    = <\/span><span style=\"color: #DCDCAA\">tostring<\/span><span style=\"color: #D4D4D4\">(loginJson.logged_in_at),<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">          Success       = <\/span><span style=\"color: #DCDCAA\">tobool<\/span><span style=\"color: #D4D4D4\">(loginJson.success)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>If everything is configured correctly, you should get an alert based on your analytics rule.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"217\" src=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-25-1024x217.png\" alt=\"\" class=\"wp-image-625\" srcset=\"https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-25-1024x217.png 1024w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-25-300x64.png 300w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-25-768x163.png 768w, https:\/\/digitalmaterial.ch\/blog\/wp-content\/uploads\/2025\/02\/image-25.png 1466w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">References<\/h2>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/agents\/data-collection-snmp-data\">Collect SNMP trap data with Azure Monitor Agent &#8211; Azure Monitor | Microsoft Learn<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/documentation.meraki.com\/General_Administration\/Monitoring_and_Reporting\/SNMP_Overview_and_Configuration#Enabling_Traps\">SNMP Overview and Configuration &#8211; Cisco Meraki Documentation<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since it\u2019s recommended to have a break-glass admin account in case of SAML authentication failures or other account issues, a security concern arises. Break-glass admin logins might go unnoticed, as there\u2019s no native feature to send login alerts for specific accounts. The solution isn\u2019t straightforward, as Cisco Meraki only allows login attempts to be sent [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":638,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,21,19],"tags":[],"class_list":["post-260","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-allgemein","category-azure","category-networking"],"_links":{"self":[{"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/posts\/260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/comments?post=260"}],"version-history":[{"count":19,"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/posts\/260\/revisions"}],"predecessor-version":[{"id":637,"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/posts\/260\/revisions\/637"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/media\/638"}],"wp:attachment":[{"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/media?parent=260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/categories?post=260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/digitalmaterial.ch\/blog\/wp-json\/wp\/v2\/tags?post=260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}