Meraki

Community

How do I integrate Meraki API with our SIEM?

TonySD
Just browsing
Wednesday
Wednesday

How do I integrate Meraki API with our SIEM?

We have explored the various Meraki logging options as listed in this table

https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Operate_and_Maintain/M...

 

We would like to utilize the API to pull logs into our SIEM. But then it appears that there is not a simple one API-call for 'event logs', instead I need to call more than 1 API. Is that right? Also, it appears that the return I receive (e.g. from 'getNetworkEvents') is simply a pointer to other queries, requiring further follow-up calls? And, then, I also do not see how to track the last-received log, i.e., so that we can re-query every 5 min or whatever and only get new logs.

 

Can anyone give me a how-to for retrieving all the security and admin events in our Meraki environment?

 

I appreciate any suggestions. Thank you!

 

0 Kudos
3 Replies 3
Mloraditch
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

I would strongly urge you to use syslog for this. That’s what most siems use and at least IMO is sufficient for what you need therein.

 

if you do want to use the API the article you pointed to lists the possibly relevant calls, if you have specific questions about specific calls we may be able to answer them.

 

With regards to getnetworkevents you would use the starting after and ending before parameters to limit the time. You would have to track that in your app to be not overlapping when you call it. Im not sure what you mean by it referring to other calls. I don’t use it myself but the documentation examples don’t seem to indicate that: https://developer.cisco.com/meraki/api-v1/get-network-events/

 

 

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
GIdenJoe
Kind of a big deal
Kind of a big deal
Thursday
Thursday

*This*

The syslogs are sent in order and will contain timestamp and hostname information.

It wouldn't make sense to do this via API too.  Firewall logs (especially connection logs) zip by so fast you couldn't use that effectively.  So you really need to stream those locally.

0 Kudos
In response to GIdenJoe
TonySD
Just browsing
Thursday
Thursday

My understanding (from that page/table I first referenced) shows that syslog is only available from the Meraki devices directly, i.e., I need local (or at least network-reachable/routed) syslog-collectors for each. And, that syslog from the devices will not include config-changes or "critical" security-events. Thus the reason for wanting to collect everything from the mgmt-console.

 

(We are, in fact, already collecting those logs from our 800 Meraki APs via syslog. So I am familiar with their contents.)

 

re firewall/connection logs, I believe we are only seeing the AP auth/deauth events. So it's busy but not crazy busy. (By comparison, our public-facing firewalls generate 400M events/day!)

 

re the 'getnetworkevents' API call, it sounds like I do need to script some sort of saved/on-disk 'state' for the Last Received Event. Bummer, more to script, I guess?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.