Skip to main content
Sumo Logic

Collect Logs for Carbon Black Cloud

Configure an S3 bucket for Carbon Black Cloud event and alert logs, forward logs to the bucket, and use S3 sources to collect the logs.

This page has instructions for configuring collection of Carbon Black Cloud event and alert logs. In the steps that follow, you'll set up two Sumo Logic S3 Sources, each of which will collect logs from an S3 bucket, and configure Carbon Black Cloud to send alert and event data to the S3 buckets. 

Step 1: Create S3 bucket

In this step, use the AWS Console to create an S3 bucket. Make a note of the name of the bucket name. Later in this procedure, you'll configure Carbon Black Data Forwarders to send logs to the bucket.  

Step 2: Create Sumo Logic S3 Sources

In this step, you create two S3 Sources to collect logs from the S3 bucket you created in the previous step. One source will collect event logs from the bucket, the other source will collect alert logs. 

As a prerequisite, Grant Sumo Logic access to the S3 bucket.

S3 Source for event logs

Follow these steps to set up an S3 Source to collect event logs from your S3 bucket. (For detailed instruction on S3 Source configuration options, see AWS S3 Source.)

  1. In Sumo Logic select Manage Data > Collection > Collection
  2. On the Collectors page, click Add Source next to a Hosted Collector, either an existing Hosted Collector, or one you have created for this purpose.
  3. Select Amazon S3.
  4. Enter a name for the new Source. A description is optional.
  5. Select an S3 region or keep the default value of Others. The S3 region must match the appropriate S3 bucket created in your Amazon account.
  6. Use AWS versioned APIs? Select No 
  7. Bucket Name. Enter the exact name of the S3 bucket you created above.
  8. Path Expression. Enter:
  9. Collection should begin. Choose or enter how far back you'd like to begin collecting historical logs.
  10. For Source Category, enter any string to tag the output collected from this Source. (Category metadata is stored in a searchable field called _sourceCategory.) Make a note of the Source Category you assign; you will need it when you install the  the Carbon Black Cloud App.
  11. For AWS Access you have two Access Method options. Select Role-based access or Key access based on the AWS authentication you are providing. Role-based access is preferred, this was completed in the prerequisite step Grant Sumo Logic access to an AWS Product.
    • For Role-based access enter the Role ARN that was provided by AWS after creating the role. 
      Role based access input roleARN.png
    • For Key access enter the Access Key ID and Secret Access Key. See AWS Access Key ID and AWS Secret Access Key for details.

S3 Source for alert logs

Follow the steps in S3 Source for event logs above to create another S3 source that will collect alert logs from the S3 bucket. When creating the source, assign it its own source category value, and set the Path Expression to:


Step 3: Configure Carbon Black Cloud to send alert and event logs to S3

In this step you configure two Carbon Black Data Forwarders to push event and alert logs to S3.  

To configure the Data Forwarders, follow the instructions in VMware help.

When you configure a Data Forwarder, you supply an S3 bucket name and an S3 prefix. For both the forwarders specify the same S3 bucket—the one you created above. The value for the S3 prefix is different for each forwarder:

  • For the event forwarder, set S3 prefix to events/ 
  • For the alert forwarder, set S3 prefix to alerts/ 

Please carefully evaluate this information to assure that your configuration reflects the data set you would like to send to Sumo Logic.