Good Morning!
Let me know if this would be better under the Meraki administration section...
I'm wondering what everyone uses for historical Cisco Meraki MX security reports?
I find the Security Center is very robust and great for looking at data up to a month old however it does not provide the functionality to go back further.
If I want to breakdown Summary Report information by quarter I can do that, but not so with the Security Center report. I do have regularly scheduled e-mail reports that come in on a daily basis but I'd like a way to view historical information.
I'm preparing a 2018 report, does anyone know of a way that the data can be looked up historically and/or can the Security Center data be exported to a third party application meant specifically for historical reporting and analysis?
Thank you for your assistance!
Solved! Go to solution.
Aaron Willette has an excellent blog post about Meraki's logging:
http://www.willette.works/meraki-event-logs/
Syslog can bring your logs into a SIEM:
If you need more details about an incident, you should get them within the 1 month retention. You could setup alerting based on the priority score so you're triggered by your SIEM to do something.
You could also setup scheduled reporting via e-mail about the security events:
You could also use the API, but at the moment, it only has the client specific call, so that's very limited:
{{baseUrl}}/networks/{{networkId}}/clients/{{clientId}}/securityEvents?perPage=100
More info:
Aaron Willette has an excellent blog post about Meraki's logging:
http://www.willette.works/meraki-event-logs/
Syslog can bring your logs into a SIEM:
If you need more details about an incident, you should get them within the 1 month retention. You could setup alerting based on the priority score so you're triggered by your SIEM to do something.
You could also setup scheduled reporting via e-mail about the security events:
You could also use the API, but at the moment, it only has the client specific call, so that's very limited:
{{baseUrl}}/networks/{{networkId}}/clients/{{clientId}}/securityEvents?perPage=100
More info:
Thank you both for your responses!
I do have scheduled e-mail reports for both daily and more recently monthly. I was looking to pull data for an end-year report and finding that difficult. At least with the monthly reports we can compile 12 reports into an end of year report in 2019.
I was kind of thinking this might be better looked at through the lens of SIEM and could be reported on through there.
I'll check out that blog post as well - appreciate the feedback!
Security Center logging is now down to two weeks. Are sales of Stealthwatch Cloud too slow for Cisco I wonder?
You could consider using a product like Cisco Stealthwatch Cloud, but it is a tad pricy so usually suited to larger organisations.
https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html
As @BrechtSchamp says, this works by funneling the logs to it. Note that it can collect logs from other kinds of devices as well (including things like Amazon AWS), so is a more encompassing security monitoring tool.