Download logs of the last 8 months.

Johnfnadez
Building a reputation

Download logs of the last 8 months.

Hi Merakiers!

 

My customer is requesting the last 8 months logs regarding with security events, but In the event log page I just can download one page. Does anyone know if I can request this information to support or do I have any way to got them?

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
9 REPLIES 9
ConnorL
Meraki Employee
Meraki Employee

Support can't export this for you, it'll either be a CSV export of each page or use the API to fetch event logs
For API, see: https://documenter.getpostman.com/view/7928889/SVmsVg6K?version=latest#9bfa67f6-c2c6-4c59-a887-bbb21...

 

Make sure you use the "perPage" parameter to show more than the default 10

cmr
Kind of a big deal
Kind of a big deal

I'd be surprised if the logs go back that far on the dashboard, on ours we only get 3 months, that's why you would normally have a SIEM solution for this kind of forensic check.

I need to export the logs from our MX firewalls. After reading this and following the links to all the API information over the past hour it appears I need to learn programing and/or coding to get the logs. Is this correct? The only way I can get the entire contents of the Meraki MX logs (other than export 30 lines at a time to CSV) is to teach myself programming in Meraki API code?

 

Sort of, yes. You'd not be programming in "Meraki API code", instead you can write the application in Python, Bash (curl) or nodeJS (and many others) that can utilise the Meraki API. There's likely little python scripts available on the Cisco DevNet site or on Google, see: https://developer.cisco.com/meraki/explore/

For Python, you can use the Meraki Python Library, for other languages you can cURL. Support cannot assist you in providing these logs for security purposes, so either you can utilise the API (which is a lot faster) or save a CSV of each page (capped at 30 lines pp).

Going forward, you can use a Syslog, which the MX will send all events to. For info, see: https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

Thank you for the response. Unfortunately I don't know what Python, Bash, curl, or nodeJS are so I'm still in the dark. I see a number of references to something called the Postman tool. Is that something that can be utilize the Meraki API? Is there any simple way for someone that doesn't have any programming background to do this?

 

cmr
Kind of a big deal
Kind of a big deal

@ctscalbers with Python you don't need to know any programming, you simply download and install python (3.8.4 is the current version) and then type commands such as python script.py and this will download the data.  I think Meraki have the scripts so you are kind of just running a batch file.

FYI, in the process of writing up how to do this in Postman now, @ctscalbers . Give me 5-10 mins 

Not to worry, I'm still learning Python myself so I know it's a bit of a challenge for newbies. Yes, you can use an app called Postman that allows you to execute API commands, I'll run you through how to do this for the event log now, the next steps are assuming you have Postman installed, if you don't, you can find it here.

 

1) Go to this link and click "Run in Postman" at the top right, this will install the Postman collection.

Screenshot 2020-07-27 at 20.39.03.png

 

 

 

2) In Postman, click the three dots on the collection, then Edit. Go to the Authorization tab and paste your API key in the value field, then click "update"

 

Screenshot 2020-07-27 at 20.43.14.png.        Screenshot 2020-07-27 at 20.45.41 1.png

 

3) You'll first need to get your organisation ID. To do this, open the collection then go to Organisations > getOrganisations and click "Send". Copy the ID of the organisation you wish to use.

 

Screenshot 2020-07-27 at 20.47.00.png

 

4) Next, we need to select the network you wish to view the event log for. Go to Networks > getOrganizationNetworks. Paste the ID we copied from the previous step into the organizationId field and untick the configTemplateId field like so:

 

Screenshot 2020-07-27 at 20.51.02.png 

You'll get an output that looks like this, copy the 'id' from the correct network:

 

Artboard.png

 

5) Final step, now we can use the Events > getNetworkEvents API to fetch all the events from your given network. There are a number of fields you can use to filter the date range and number of events returned. To return events just for your MX, enter 'appliance' in the productType field. In this example, I'll be returning the last 1000 events from my MX:

 

Screenshot 2020-07-27 at 20.57.20.png

 

The networkId is the value we copied from the last step, usually starting with L_ or N_. You should get an output like this:

 

Artboard1.png

 

You can export this into whatever you'd like, it's just JSON.

 

The fields all have little help/descriptions to assist what data you must enter into them, for example the startingAfter and endingBefore. Hope this helps!

Excellent write up and I really appreciate it. It has gotten me much further than I would have gotten on my own.

I enabled API in my Meraki dashboard and got my API key. I got Postman installed and followed your instructions.

 

I'm able to get data but I'm hung up on two points.

 

I want to see event log entries that happened before a particular data and time so I'm trying to use the "endingBefore" parameter but it gives me an error that the "endingBefore must be a valid ISO 8601 formatted timestamp". I attempted to look up ISO 8601 formatting and came up with "2020-07-27T13:00" but that does not work either. How should this parameter be formatted?

 

Second issue I'm having is getting the output into some sort of file or format I can use. I have looked up JSON and I see it is JavaScript Object Notation and I see how the output is organized but it is not easy to read in that format. I also see where I can save the output to a file named .json and I will see what I can do with that file type.

 

Sorry for the many questions but I don't have much experience with this type of thing. Thanks again for your help.

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels