Events - same event different API return, also call never returns

sungod
Kind of a big deal
Kind of a big deal

Events - same event different API return, also call never returns

API call https://developer.cisco.com/meraki/api-v1/#!get-network-events

 

 

Working on analysing events, the lack of definitive documentation means crunching a lot of data to find out the different formats vs. context in API return data.

 

But I'm seeing two different returns for the same content filter URL blocking event.

 

The network, mac, client etc. are identical, the events are less than a second apart, yet one has a "categories" element, which is always the empty string "", and the other has a "category" element which has a sensible value, the name of the filter category.

 

I'm thinking, 'bug', before I open a case, does anyone think it's correct API behaviour?

 

Example snippet below, there are a lot of these events, most have "categories" with the empty string. It's the last element in the return JSON.

 

 

 

 

{"occurredAt": "2023-01-25T09:15:27.116724Z", "networkId": "L_id", "type": "cf_block", "description": "Content filtering blocked URL", "clientId": "k", "clientDescription": "MS350 Stack", "clientMac": "mac", "deviceSerial": "ser", "deviceName": "MX84 Top", "eventData": {"url": "https://doh.opendns.com/...", "server": "146.112.41.2:443", "categories": ""}}

{"occurredAt": "2023-01-25T09:15:27.103528Z", "networkId": "L_id", "type": "cf_block", "description": "Content filtering blocked URL", "clientId": "k", "clientDescription": "MS350 Stack", "clientMac": "mac", "deviceSerial": "ser", "deviceName": "MX84 Top", "eventData": {"url": "https://doh.opendns.com/...", "server": "146.112.41.2:443", "category": "Proxy Avoidance and Anonymizers"}}

 

 

 

  

Edit:

 

A second problem: on one of the organisations I am testing on, the API call never returns, no errors, it just never comes back. Been testing for a few days now, it's consistent.

 

Edit edit:

 

The call not returning is an odd one:

 

I'm using the Meraki Python library, current version.

 

The info on https://developer.cisco.com/meraki/api-v1/#!get-network-events does not mention a 

total_pages parameter, but the source code on GitHub does.

 

Given that there are perPage, startingAfter and endingBefore parameters, it is logical that there should be a total_pages too, so that you can use total_pages="all" to get the complete set of events.

 

Testing on an org that works with the call shows this to be the case, the total_pages="all" is required to get all events, so it's missing from the developer page instructions.

 

On the affected organization...

 

the call hangs only if total_pages="all" is present.

 

if I leave it off, the call returns normally

 

Testing the call curl, it returns ok, but there are no matching events.

 

Looks like the trigger for the problem is where there are no events and total_pages="all" is given, it is a problem in the Meraki Python library not the API. I'll report it.

 

2 Replies 2
sungod
Kind of a big deal
Kind of a big deal

The Meraki library call hanging where there are no events and total_pages="all" is given has been confirmed by the developers, but they say it's actually an API endpoint bug.

 

The endpoint returns zero events together with a link to the next page, which is also zero events with a link to the next page, etc.

 

I've opened a case with Meraki support.

 

Until it is fixed, be aware the call will hang in this situation!

sungod
Kind of a big deal
Kind of a big deal

The support team confirmed the API return isn't matching documented behaviour, but I'd expect it could be a while before any fix.

 

In the meantime, I came up with a workaround, patching the local package file... meraki/aio/rest_session.py

 

At line 402 (correct for library release 1.27.0) I added an extra test to cover the problematic return data, so that the handling of the initial API call becomes...

 

 

        async with await self.request(metadata, "GET", url, params=params) as response:
            results = await response.json(content_type = None)

            # For event log endpoint when using 'next' direction, so results/events are sorted chronologically
            if (
                    type(results) == dict
                    and metadata["operation"] == "getNetworkEvents"
                    and direction == "next"
            ):
                results["events"] = results["events"][::-1]
#insert here
            elif (
                    type(results) == dict
                    and metadata["operation"] == "getNetworkEvents"
                    and direction == "prev"
            ):
                if len(results["events"]) == 0:
                    return results
#end of insert                    
            links = response.links

 

 

 

This is in the aio version, I guess it will be similar in non-aio.

 

Caveat: this is working ok for me with the organizations I've tested on, but maybe it's not the right/best way to do it.

 

Get notified when there are additional replies to this discussion.