Security Reporting

SOLVED
ITPointeMan
Here to help

Security Reporting

Good Morning!

Let me know if this would be better under the Meraki administration section...

 

I'm wondering what everyone uses for historical Cisco Meraki MX security reports?

I find the Security Center is very robust and great for looking at data up to a month old however it does not provide the functionality to go back further.

 

If I want to breakdown Summary Report information by quarter I can do that, but not so with the Security Center report. I do have regularly scheduled e-mail reports that come in on a daily basis but I'd like a way to view historical information.

 

I'm preparing a 2018 report, does anyone know of a way that the data can be looked up historically and/or can the Security Center data be exported to a third party application meant specifically for historical reporting and analysis?

 

Thank you for your assistance!

1 ACCEPTED SOLUTION
BrechtSchamp
Kind of a big deal

Aaron Willette has an excellent blog post about Meraki's logging:

http://www.willette.works/meraki-event-logs/

 

Syslog can bring your logs into a SIEM:

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Event_Types...

 

If you need more details about an incident, you should get them within the 1 month retention. You could setup alerting based on the priority score so you're triggered by your SIEM to do something.

 

You could also setup scheduled reporting via e-mail about the security events:

2019-02-18 18_25_33-Greenshot.png

 

You could also use the API, but at the moment, it only has the client specific call, so that's very limited:

{{baseUrl}}/networks/{{networkId}}/clients/{{clientId}}/securityEvents?perPage=100

 

More info:

https://documenter.getpostman.com/view/897512/meraki-dashboard-api/2To9xm#de844141-5d03-4ba5-80f8-62...

 

View solution in original post

4 REPLIES 4
BrechtSchamp
Kind of a big deal

Aaron Willette has an excellent blog post about Meraki's logging:

http://www.willette.works/meraki-event-logs/

 

Syslog can bring your logs into a SIEM:

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Event_Types...

 

If you need more details about an incident, you should get them within the 1 month retention. You could setup alerting based on the priority score so you're triggered by your SIEM to do something.

 

You could also setup scheduled reporting via e-mail about the security events:

2019-02-18 18_25_33-Greenshot.png

 

You could also use the API, but at the moment, it only has the client specific call, so that's very limited:

{{baseUrl}}/networks/{{networkId}}/clients/{{clientId}}/securityEvents?perPage=100

 

More info:

https://documenter.getpostman.com/view/897512/meraki-dashboard-api/2To9xm#de844141-5d03-4ba5-80f8-62...

 

Thank you both for your responses!

I do have scheduled e-mail reports for both daily and more recently monthly. I was looking to pull data for an end-year report and finding that difficult. At least with the monthly reports we can compile 12 reports into an end of year report in 2019.

 

I was kind of thinking this might be better looked at through the lens of SIEM and could be reported on through there.

 

I'll check out that blog post as well - appreciate the feedback!

 

 

Security Center logging is now down to two weeks. Are sales of Stealthwatch Cloud too slow for Cisco I wonder?

PhilipDAth
Kind of a big deal
Kind of a big deal

You could consider using a product like Cisco Stealthwatch Cloud, but it is a tad pricy so usually suited to larger organisations.

https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html

 

As @BrechtSchamp  says, this works by funneling the logs to it.  Note that it can collect logs from other kinds of devices as well (including things like Amazon AWS), so is a more encompassing security monitoring tool.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels