Overview
In this tutorial, you’ll learn how to integrate Votiro Cloud Syslog messages with Sumo Logic using the HTTP logs method.
Procedure
Configure an HTTP Logs and Metrics Source in Sumo Logic
| 1. | In Sumo Logic, select Manage Data > Collection > Collection. |
| 3. | In the Select Collector Type window, select Hosted Collector. |
| 4. | In the Add Hosted Collector window, type a Name and click on Save. |
| 5. | To add a source to the collector, click HTTP Logs & Metrics. |
| 6. | In the HTTP Logs & Metrics screen: |
| b. | Set the Source Category to prod/votiro/syslog. |
| 7. | After saving the source, the HTTP Source Address window is displayed. Copy the address* value and click on OK. * This address will be used to configure the Votiro Management console. |
| 8. | If the installation was successful, the installed HTTP Logs Collector shows up in the Collection console as Healthy and Hosted. |
Create the Field Extraction Rules at Ingest Time
When configuring the Votiro App, the Sumo Logic Admin should perform the following procedure to create field extraction rules at ingest time:
| 1. | Login to the Sumo Logic tenant. |
| 2. | Navigate to Manage Data > Logs > Field Extraction Rules. |
| 3. | In the Rule Name field, enter the value Votiro CEF Syslog Parsing. |
| 4. | In Applied At, select Ingest Time. |
| 5. | In Scope, select Specific Data. |
| 6. | Under Metadata, select _sourcecategory. |
| 7. | Under Value, select prod/votiro/syslog. |
| 8. | Copy the following Sumo Logic Votiro Field Extraction rules: |
Copy| parse regex "companyName=(?<company_name>.*?)\s\w*[=]|$" nodrop
| parse regex "correlationId=(?<correlation_id>.*?)\s\w*[=]|$" nodrop
| parse regex "itemId=(?<item_id>.*?)\s\w*[=]|$" nodrop
| parse regex "fileName=(?<file_name>.*?)\s\w*[=]|$" nodrop
| parse regex "fileType=(?<file_type>.*?)\s\w*[=]|$" nodrop
| parse regex "fileHash=(?<file_hash>.*?)\s\w*[=]|$" nodrop
| parse regex "fileSize=(?<file_size>.*?)\s\w*[=]|$" nodrop
| parse regex "passwordProtected=(?<password_protected>.*?)\s\w*[=]|$" nodrop
| parse regex "AVResult=(?<av_result>.*?)\s\w*[=]|$" nodrop
| parse regex "threatCount=(?<threat_count>.*?)\s\w*[=]|$" nodrop
| parse regex "blockedCount=(?<blocked_count>.*?)\s\w*[=]|$" nodrop
| parse regex "fileModification=(?<file_modification>.*?)\s\w*[=]|$" nodrop
| parse regex "sanitizationResult=(?<sanitization_result>.*?)\s\w*[=]|$" nodrop
| parse regex "sanitizationTime=(?<sanitization_time>.*?)\s\w*[=]|$" nodrop
| parse regex "connectorType=(?<connector_type>.*?)\s\w*[=]|$" nodrop
| parse regex "connectorName=(?<connector_name>.*?)\s\w*[=]|$" nodrop
| parse regex "connectorId=(?<connector_id>.*?)\s\w*[=]|$" nodrop
| parse regex "policyName=(?<policy_name>.*?)\s\w*[=]|$" nodrop
| parse regex "exceptionId=(?<exception_id>.*?)\s\w*[=]|$" nodrop
| parse regex "incidentURL=(?<incident_url>.*?)\s\w*[=]|$" nodrop
| parse regex "messageId=(?<message_id>.*?)\s\w*[=]|$" nodrop
| parse regex "subject=(?<subject>.*?)\s\w*[=]|$" nodrop
| parse regex "from=(?<from>.*?)\s\w*[=]|$" nodrop
| parse regex "recipients=(?<recipients>.*?)\s\w*[=]|$" nodrop
| parse "* CEF:*|*|*|*|*|*|*|*" as syslog_timestamp, cef_version, device_vendor, device_product, device_version, signature_id, message_name, message_severity, message_extension nodrop
| fields - message_extension, cef_version
| 9. | Paste the copied rules into the Parse Expression * field. |
| 10. | Click on the Save button. |
Install the Votiro App
| 1. | Navigate to the App Catalog on the Sumo Logic tenant and search for Votiro. |
| 3. | After configuring the collector, syslog source and extraction rules, click on Next. |
| 4. | Under LOG data source, in the Source Category field, select Enter a Custom Data Filter as you did in the above mentioned steps - use the one that you already created. |
| 5. | In the Custom Data Filter field, enter the custom source category (starting with the underscore character "_") you entered when creating the Field Extraction rules. For example: _sourceCategory=prod/votiro/syslog |
| 6. | Click on Next. The Setup completes and a Success message appears and a dashboard is displayed. |
Integrate the Votiro Management Console with the Sumo Logic HTTP Logs Collector
| 1. | Log in to the Votiro Management Dashboard. |
| 2. | Go to the Settings > SIEM page. |
| 3. | Set up the Sumo Logic collector information: |
| a. | For SIEM Server address, enter the collector HTTP source URL. |
| b. | For SIEM server port, enter the default HTTPS port number 443. |
| c. | For Syslog protocol, select HTTP Logs (Sumo Logic). |
| d. | For Syslog format, select CEF (for this method, this field is not relevant). |
| e. | Save the SIEM settings. |
Verify the Integration
To check if the integration was successful:
| 1. | Send files to sanitization. |
| 2. | Open a Sumo Logic instance. |
| 3. | There are two ways to check syslog events: |
3.a Votiro Dashboard
On the Sumo Logic website, open the newly imported folder Votiro Monitoring Dashboard. Data coming from the configured source should be shown on this dashboard.
3.b Search Ingested Data inside Sumo Logic
Data ingested inside Sumo Logic can be easily searched using the source category by which the data was indexed.
| 2. | Click + New -> Log Search. |
| 3. | In the search field, enter: _source={source name} and _collector={collector name} For example: _source="HTTP-Test" and _collector="HTTP-Test" |
| 4. | Set the time and date fields. |
Comments
0 comments
Please sign in to leave a comment.