Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki event querying and analysis tools? (incl. 3rd party?)

cabricharme
Getting noticed
‎Aug 21 2024 10:03 AM
‎Aug 21 2024 10:03 AM

Meraki event querying and analysis tools? (incl. 3rd party?)

Basically I am looking for a Splunk-like tool for Meraki events across 20+ networks and MX devices, 60+ switches. Given I have next to zero money aka budget (that I know of, haha), and next to zero time to maintain that tool (wearing lots of other hats) - the focus is on the simplicity, ease of maintenance. (Splunk is a bear to maintain - and can get expensive fast.) Need something simple yet where an SQL-like query would give me a fast answer to "top 10 networks with most site-to-site auto-VPN failures" and then chart the results over e.g. 3 years.

 

If you have a suggestion, please include a screenshot (or a link) to a dashboard or report (or other KO) example of how this tool actually works, what results it produces.

 

Context:

  • Given Meraki's focus on ease of use and putting everything in the cloud, I was surprised to find out just how limited event search in Meraki is. Can't search for specific strings or regex in the events. Can't search across 2+ networks. Can't even export a full CSV of a specific log, or all logs. (Seriously?) Forget any sort of analytics other than what Meraki dashboards already provide.
  • Given the (event) data is already in Meraki cloud (even if with very limited retention), I thought maybe there are good integrations with other cloud-based analytics and o11y tools - Splunk, Azure Log Analytics, Datadog, New Relic - that use the data in place... Authorize, connect, and Bob's your uncle? But... no:
    • there's not a single one letting me search the existing data in place - must forward first to a different tool with its own storage. Hmmm, OK.
    • There are some integrations like Cisco Meraki connector for Microsoft Sentinel - yet that is anything but simple: set up a syslog server, Sentinel agent, all that - apparently with a number of seemingly critical issues that (a) make the solution anything but simple and seem to be a recipe for a mountain of technical debt, and (b) require a purchase of another product we don't have (Sentinel) and not sure we need.
    • there're Splunk Web Add-on for Cisco Meraki, and Splunk Add-on for Cisco Meraki, both with very sparse information - e.g. no examples of KOs, reports, dashboards - and I am hesitant to spend weeks or months on setting up a POC, only to find out there're insurmountable limitations.

 

P.S. Please help me with the subject / title of this thread. What should it be if I am looking for a substantial upgrade to Meraki's current event retention, querying and analysis functionality? "Log aggregation" doesn't quite sound right. SIEM? This isn't about security - more about o11y and analytics that's not limited to security. Thanks!

Labels:
0 Kudos
2 Replies 2
KH
Meraki Employee
Meraki Employee
‎Aug 22 2024 8:40 AM
‎Aug 22 2024 8:40 AM

Hey @cabricharme 

 

It sounds like a syslog server is what you need ultimately. Event logs are one of the different data points that is exported towards them, it seems like you are mainly focused on events.
If you are wanting something more visual and simple, I would recommend browsing apps.meraki.io for a solution. One good solution you can look into is LogicMonitor https://apps.meraki.io/en-US/apps/420402/logicmonitor-%7C-lm-envision#features

A whole list of different options can be viewed here: https://apps.meraki.io/en-US/listing?cat=99861&page=1

Hopefully this helps.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
In response to KH
cabricharme
Getting noticed
‎Aug 24 2024 5:17 PM
‎Aug 24 2024 5:17 PM

[...] it seems like you are mainly focused on events.

 

Correct. I.e. don't need "visual" or "simple to use" but rather - a splunk-like QL for Meraki events that is simple to set up and maintain and ideally wouldn't require me to set up some sort of a forwarder (like a syslog server).

 

(E.g. all that Datadog seems to need to start receiving logs into their system is an API key. That's already much better than setting up a syslog server.)

 

In other words, the main question remains:

 

What is the simplest way to use a decent Query Language for Meraki events?

 

Perhaps it's Logic Monitor or Datadog or New Relic - or Splunk, all of which have integrations. But which one, in terms of QL maturity and overall value?

 

(Ideally the answer would come come from someone who has tried a few and zeroed in on something that worked.)

 

Thanks again!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.