Ingest AWS Application Load Balancer Data into Cloud SIEM
To ingest AWS Application Load Balancer data into Cloud SIEM:
- Enable ELB logging in AWS.
- Create an Amazon S3 source on a collector. When you configure the source, do the following:
- Click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will ensure all logs for this source are forwarded to Cloud SIEM. - Add another field named
_parser
with value /Parsers/System/AWS/AWS ALB. This ensures that the AWS Application Load Balancer logs are parsed and normalized into structured records in Cloud SIEM.
- Click the +Add Field link, and add a field whose name is
- To verify that your logs are successfully making it into Cloud SIEM:
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings. - On the Log Mappings tab search for "AWS Application Load Balancer" and check the Records columns.
- For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS ALB Flow security records:
_index=sec_record* and metadata_product = "AWS - Application Load Balancer - JSON"
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.