https://community.cisco.com/t5/cloud-networking-platform/meraki-event-querying-and-analysis-tools-incl-3rd-party/m-p/5422823#M6818 <BLOCKQUOTE><HR /></BLOCKQUOTE><BLOCKQUOTE><HR />[...] it seems like you are mainly focused on events.<BR /><HR /></BLOCKQUOTE><P><SPAN>Correct. I.e. don't need "visual" or "simple to use" but rather - a splunk-like QL for Meraki events that is simple to set up and maintain and ideally wouldn't require me to set up some sort of a forwarder (like a syslog server).</SPAN></P><P><SPAN>(E.g. all that <A href="https://www.google.com/search?q=how+to+set+up+Meraki+events+in+Datadog" target="_self" rel="nofollow noopener noreferrer">Datadog seems to need</A> to start receiving logs into their system is an API key. That's already much better than setting up a syslog server.)</SPAN></P><P><SPAN>In other words, the main question remains:</SPAN></P><P><STRONG>What is the simplest way to use a decent Query Language for Meraki events? </STRONG></P><P><SPAN>Perhaps it's Logic Monitor or <A href="https://www.google.com/search?q=how+to+set+up+Meraki+events+in+Datadog" target="_self" rel="nofollow noopener noreferrer">Datadog</A> or New Relic - or Splunk, all of which have integrations. But which one, in terms of QL maturity and overall value?</SPAN></P><P><SPAN>(Ideally the answer would come come from someone who has tried a few and zeroed in on something that worked.)</SPAN></P><P><SPAN>Thanks again!</SPAN></P> Sun, 25 Aug 2024 00:17:29 GMT alexeig 2024-08-25T00:17:29Z https://community.cisco.com/t5/cloud-networking-platform/meraki-event-querying-and-analysis-tools-incl-3rd-party/m-p/5422821#M6816 <P>Basically I am looking for a Splunk-like tool for Meraki events across 20+ networks and MX devices, 60+ switches. Given I have next to zero money aka budget (that I know of, haha), and next to zero time to maintain that tool (wearing lots of other hats) - the focus is on the simplicity, ease of maintenance. (Splunk is a bear to maintain - and can get expensive fast.) Need something simple yet where an SQL-like query would give me a fast answer to "top 10 networks with most site-to-site auto-VPN failures" and then chart the results over e.g. 3 years.</P><P>If you have a suggestion, <STRONG>please include a screenshot</STRONG> (or a link) to a dashboard or report (or other KO) example of how this tool actually works, what results it produces.</P><P>Context:</P><UL><LI>Given Meraki's focus on ease of use and putting everything in the cloud, I was surprised to find out just how limited event search in Meraki is. Can't search for specific strings or regex in the events. Can't search across 2+ networks. Can't even export a full CSV of a specific log, or all logs. (Seriously?) Forget any sort of analytics other than what Meraki dashboards already provide.</LI><LI><SPAN>Given the (event) data is already in Meraki </SPAN><SPAN>cloud (even if with very limited retention), I thought maybe there are good integrations with other cloud-based analytics and o11y tools - Splunk, Azure Log Analytics, Datadog, New Relic - that use the data in place... Authorize, connect, and Bob's your uncle? But... no:</SPAN><UL><LI><SPAN>there's not a single one letting me search the existing data in place - must <EM>forward</EM> first to a different tool with its own storage. Hmmm, OK.</SPAN></LI><LI><SPAN>There are some integrations like <A href="https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-meraki" target="_self" rel="nofollow noopener noreferrer">Cisco Meraki connector for Microsoft Sentinel</A> - yet that is anything but simple: set up a syslog server, Sentinel agent, all that - apparently with a number of <A href="https://www.reddit.com/r/meraki/comments/n3rq6s/comment/gww2zh2/" target="_blank" rel="noopener nofollow noreferrer">seemingly critical issues</A> that (a) make the solution anything but simple and seem to be a recipe for a mountain of technical debt, and (b) require a purchase of another product we don't have (Sentinel) and not sure we need.</SPAN></LI><LI><SPAN>there're Splunk Web <A href="https://docs.splunk.com/Documentation/AddOns/released/Meraki/Setup" target="_blank" rel="noopener nofollow noreferrer">Add-on for Cisco Meraki</A>, and <A href="https://splunkbase.splunk.com/app/5580" target="_blank" rel="noopener nofollow noreferrer">Splunk Add-on for Cisco Meraki</A>, both with very sparse information - e.g. no examples of KOs, reports, dashboards - and I am hesitant to spend weeks or months on setting up a POC, only to find out there're insurmountable limitations.</SPAN></LI></UL></LI></UL><P>P.S. Please help me with the subject / title of this thread. What should it be if I am looking for a substantial upgrade to Meraki's current event retention, querying and analysis functionality? "Log aggregation" doesn't quite sound right. SIEM? This isn't about security - more about o11y and analytics that's not limited to security. Thanks!</P> Wed, 21 Aug 2024 17:03:11 GMT https://community.cisco.com/t5/cloud-networking-platform/meraki-event-querying-and-analysis-tools-incl-3rd-party/m-p/5422821#M6816 alexeig 2024-08-21T17:03:11Z https://community.cisco.com/t5/cloud-networking-platform/meraki-event-querying-and-analysis-tools-incl-3rd-party/m-p/5422822#M6817 <P>Hey <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/89838">@alexeig</A> </P><P>It sounds like a syslog server is what you need ultimately. Event logs are one of the different data points that is exported towards them, it seems like you are mainly focused on events.<BR />If you are wanting something more visual and simple, I would recommend browsing apps.meraki.io for a solution. One good solution you can look into is LogicMonitor <A href="https://apps.meraki.io/en-US/apps/420402/logicmonitor-%7C-lm-envision#features" target="_blank" rel="noopener nofollow noreferrer">https://apps.meraki.io/en-US/apps/420402/logicmonitor-%7C-lm-envision#features</A><BR /><BR />A whole list of different options can be viewed here: <A href="https://apps.meraki.io/en-US/listing?cat=99861&amp;page=1" target="_blank" rel="nofollow noopener noreferrer">https://apps.meraki.io/en-US/listing?cat=99861&amp;page=1</A><BR /><BR />Hopefully this helps.</P> Thu, 22 Aug 2024 15:40:54 GMT https://community.cisco.com/t5/cloud-networking-platform/meraki-event-querying-and-analysis-tools-incl-3rd-party/m-p/5422822#M6817 KH6 2024-08-22T15:40:54Z https://community.cisco.com/t5/cloud-networking-platform/meraki-event-querying-and-analysis-tools-incl-3rd-party/m-p/5422823#M6818 <BLOCKQUOTE><HR /></BLOCKQUOTE><BLOCKQUOTE><HR />[...] it seems like you are mainly focused on events.<BR /><HR /></BLOCKQUOTE><P><SPAN>Correct. I.e. don't need "visual" or "simple to use" but rather - a splunk-like QL for Meraki events that is simple to set up and maintain and ideally wouldn't require me to set up some sort of a forwarder (like a syslog server).</SPAN></P><P><SPAN>(E.g. all that <A href="https://www.google.com/search?q=how+to+set+up+Meraki+events+in+Datadog" target="_self" rel="nofollow noopener noreferrer">Datadog seems to need</A> to start receiving logs into their system is an API key. That's already much better than setting up a syslog server.)</SPAN></P><P><SPAN>In other words, the main question remains:</SPAN></P><P><STRONG>What is the simplest way to use a decent Query Language for Meraki events? </STRONG></P><P><SPAN>Perhaps it's Logic Monitor or <A href="https://www.google.com/search?q=how+to+set+up+Meraki+events+in+Datadog" target="_self" rel="nofollow noopener noreferrer">Datadog</A> or New Relic - or Splunk, all of which have integrations. But which one, in terms of QL maturity and overall value?</SPAN></P><P><SPAN>(Ideally the answer would come come from someone who has tried a few and zeroed in on something that worked.)</SPAN></P><P><SPAN>Thanks again!</SPAN></P> Sun, 25 Aug 2024 00:17:29 GMT https://community.cisco.com/t5/cloud-networking-platform/meraki-event-querying-and-analysis-tools-incl-3rd-party/m-p/5422823#M6818 alexeig 2024-08-25T00:17:29Z