Forum Discussion
Sentinel & Cisco Meraki?
Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...
mhaasEFD, thanks for the quick response. I understand that, but Microsoft documentation in Collect custom logs with Log Analytics agent in Azure Monitor - Azure Monitor | Microsoft Docs says that:
- The log file must not allow circular logging or log rotation, where the file is overwritten with new entries.
If I understand correctly, this means that the log file in the syslog server can't be rotated, so Azure can accurately take the new entries from where it last read the file.
ManresaI am not sure the risk implication of this requirement. Maybe we end up missing some flow logs when the rotation occurs?
There are no obvious logs missing that we can see. We have been running this solution for several months now without any issues. This is the only way that I am aware of how to capture the full message from Meraki at this time.
Unfortunately, we just consider this the least broken way of doing it.