Overview
In this tutorial, you’ll learn how to integrate Votiro Cloud with Sumo Logic.
System Requirements
The specifications listed below are for installation of “installed collector” for sending data to the Sumo Logic server.
| n | Linux, major distributions 64-bit, or any generic Unix capable of running Java 1.8 |
| n | Package installers require TLS 1.2 or higher |
Procedure
Configure the Sumo Logic Syslog Collection
| 1. | In Sumo Logic select Manage Data > Collection > Collection. |
| 3. | Click on Integrate with Sumo Logic. |
| 4. | Under Select Data Type, select All other sources. |
| 5. | Under Set Up Collection, select Syslog. |
| 6. | Under Set Up Collection: |
| a. | In step 1. To install a new Collector..., select Linux. |
| b. | In step 2. To download and install a Linux Collector,... click Copy to copy the code, then paste it into the Linux terminal and run it in your Linux server as root or Administrator. |
| c. | In step 3. Once the Collector has been installed and registered, click Continue. |
| 7. | Under Configure Source: |
| a. | In 1. Enter a Source Category... field, type the value: prod/votiro/syslog. |
| b. | In 2. Select the protocol..., select TCP. |
| c. | In 3. Enter the port..., type the value 1514. |
| d. | In 4. Select a time zone..., select UTC. |
| 8. | Under Finish, the Setup Wizard displays the progress bar while performing the installation. Wait until the installation finishes. This may take some time. |
| 9. | If the installation was successful, the Installed Collector shows up in the Collection console as Healthy and Installed. |
Create the Field Extraction Rules at Ingest Time
When configuring the Votiro App, the Sumo Logic Admin should perform the following procedure to create field extraction rules at ingest time:
| 1. | Login to the Sumo Logic tenant. |
| 2. | Navigate to Manage Data > Logs > Field Extraction Rules. |
| 3. | In the Rule Name field, enter the value Votiro CEF Syslog Parsing. |
| 4. | In Applied At, select Ingest Time. |
| 5. | In Scope, select Specific Data. |
| 6. | Under Metadata, select _sourcecategory. |
| 7. | Under Value, select prod/votiro/syslog. |
| 8. | Copy the following Sumo Logic Votiro Field Extraction rules: |
Copy| parse regex "companyName=(?<company_name>.*?)\s\w*[=]|$" nodrop
| parse regex "correlationId=(?<correlation_id>.*?)\s\w*[=]|$" nodrop
| parse regex "itemId=(?<item_id>.*?)\s\w*[=]|$" nodrop
| parse regex "fileName=(?<file_name>.*?)\s\w*[=]|$" nodrop
| parse regex "fileType=(?<file_type>.*?)\s\w*[=]|$" nodrop
| parse regex "fileHash=(?<file_hash>.*?)\s\w*[=]|$" nodrop
| parse regex "fileSize=(?<file_size>.*?)\s\w*[=]|$" nodrop
| parse regex "passwordProtected=(?<password_protected>.*?)\s\w*[=]|$" nodrop
| parse regex "AVResult=(?<av_result>.*?)\s\w*[=]|$" nodrop
| parse regex "threatCount=(?<threat_count>.*?)\s\w*[=]|$" nodrop
| parse regex "blockedCount=(?<blocked_count>.*?)\s\w*[=]|$" nodrop
| parse regex "fileModification=(?<file_modification>.*?)\s\w*[=]|$" nodrop
| parse regex "sanitizationResult=(?<sanitization_result>.*?)\s\w*[=]|$" nodrop
| parse regex "sanitizationTime=(?<sanitization_time>.*?)\s\w*[=]|$" nodrop
| parse regex "connectorType=(?<connector_type>.*?)\s\w*[=]|$" nodrop
| parse regex "connectorName=(?<connector_name>.*?)\s\w*[=]|$" nodrop
| parse regex "connectorId=(?<connector_id>.*?)\s\w*[=]|$" nodrop
| parse regex "policyName=(?<policy_name>.*?)\s\w*[=]|$" nodrop
| parse regex "exceptionId=(?<exception_id>.*?)\s\w*[=]|$" nodrop
| parse regex "incidentURL=(?<incident_url>.*?)\s\w*[=]|$" nodrop
| parse regex "messageId=(?<message_id>.*?)\s\w*[=]|$" nodrop
| parse regex "subject=(?<subject>.*?)\s\w*[=]|$" nodrop
| parse regex "from=(?<from>.*?)\s\w*[=]|$" nodrop
| parse regex "recipients=(?<recipients>.*?)\s\w*[=]|$" nodrop
| parse "* CEF:*|*|*|*|*|*|*|*" as syslog_timestamp, cef_version, device_vendor, device_product, device_version, signature_id, message_name, message_severity, message_extension nodrop
| fields - message_extension, cef_version
| 9. | Paste the copied rules into the Parse Expression * field. |
| 10. | Click on the Save button. |
Install the Votiro App
| 1. | Navigate to the App Catalog on the Sumo Logic tenant and search for Votiro. |
| 2. | Click on Add Integration. |
| 3. | Click on Open Setup Doc. This will take you to the documentation on the Sumo Logic Github page. |
| 4. | After configuring the collector, syslog source and extraction rules with the help of the Setup Doc, click on Next. |
| 5. | Under LOG data source, in the Source Category field, select Enter a Custom Data Filter as you did in the above mentioned steps - use the one that you already created. |
| 6. | In the Custom Data Filter field, enter the custom source category (starting with the underscore character "_") you entered when creating the Field Extraction rules. For example: _sourceCategory=prod/votiro/syslog |
| 7. | Click on Next. The Setup completes, a Success message appears and a dashboard is displayed. |
Integrate Votiro Management Console with Sumo Logic Syslog Collector
| 1. | Log in to the Votiro Management Dashboard. |
| 2. | Go to the Settings > SIEM page. |
| 3. | Set up the Linux server Sumo Logic collector information. |
| 4. | On the Sumo Logic website, open the newly imported folder Votiro Monitoring Dashboard. Data coming from the configured source should be shown on this dashboard. |
Search Ingested Data inside Sumo Logic
Data ingested inside Sumo Logic can be easily searched using the source category by which the data was indexed.
| 2. | Click + New -> Log Search. |
| 3. | In the search field, enter: _sourceCategory=prod/votiro/syslog |
| 4. | Set the time and date fields. |
Note: If the table is not available by default, then select all the fields on the left side and click on Save before Displayed Fields, for persistence.
Event Simulator
For testing purposes Votiro has an Event Simulator for Votiro Syslog (CEF).
Prerequisites
| n | Event Simulator - contact Votiro support to obtain the Event Simulator code. |
| n | pipenv (https://pypi.org/project/pipenv/) installed on the system where you want to run the simulator. To install pipenv, run the command: |
pipenv install
Using the simulator
| 1. | Navigate to the src/ folder. |
| 2. | Generate events using the following command: |
pipenv run python3 simulate.py --ip=<target_ip> --port=<target_port>
The <target_port> and <target_ip> should be of the target machine for which the Configuration was done. For example:
pipenv run python3 simulate.py --ip=localhost --port=1514
Comments
0 comments
Please sign in to leave a comment.