Carbon Black Cloud - Cloud SIEM
This page has instructions for collecting Carbon Black Cloud log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
VMware does NOT recommend setting up a Cloud-to-Cloud integration for Carbon Black Cloud and instead recommends collecting logs in an S3 bucket as an intermediary, as described below.
Step 1: Configure collectionβ
In this step, you configure an AWS S3 Source to collect Carbon Black Cloud log messages. You can configure the source on an existing Hosted Collector or create a new collector. If youβre going to use an existing collector, jump to Configure an AWS S3 Source below. Otherwise, create a new collector as described in Configure a hosted collector below, and then create the source on the collector.
Configure a hosted collectorβ
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - Click Add Collector.
- Click Hosted Collector.
- The Add Hosted Collector popup appears.
- Name. Provide a Name for the Collector.
- Description. (Optional)
- Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. - Fields.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM. - If all sources in this collector will be Carbon Black Cloud sources, add an additional field with key
_parser
and value /Parsers/System/VMware/Carbon Black Cloud.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
Itβs also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
Configure an AWS S3 Sourceβ
If you have issues performing the steps below, see the AWS S3 Source topic for more information.
The bucket you designate for Carbon Black Cloud data must be exclusively used for this data source. Note also that the Sumo Logic collector does not support collection of logs that are edited after being stored in S3 and prior to being polled for ingestion to the Sumo Logic core platform.
- Grant Sumo Logic access to an Amazon S3 bucket.
- Enable logging in AWS using the Amazon Console.
- Confirm that logs are being delivered to the Amazon S3 bucket.
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - Navigate to the Hosted Collector where you want to create the source.
- On the Collectors page, click Add Source next to a Hosted Collector.
- Select Amazon S3.
- The page refreshes.
- Name. Enter a name for the source.
- Description. (Optional)
- S3 Region. Choose the AWS Region the S3 bucket resides in.
- Use AWS versioned APIs? Leave the default, Yes.
- Bucket Name. The name of your organization.s S3 bucket as it appears in AWS.
- Path Expression. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files.
- Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. - Fields.
- If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will ensure all logs for this source are forwarded to Cloud SIEM. - Add another field named
_parser
with value /Parsers/System/VMware/Carbon Black Cloud
- If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
- AWS Access. For AWS Access you have two Access Method options. Select Role-based access or Key access based on the AWS authentication you are providing. Role-based access is preferred. Note that Sumo Logic access to AWS (instructions are provided above in Step 1) is a prerequisite for role-based access
- Role-based access. Enter the Role ARN that was provided by AWS after creating the role.
- Key access. Enter the Access Key ID and Secret Access Key. See AWS Access Key ID and AWS Secret Access Key for details.
- Role-based access. Enter the Role ARN that was provided by AWS after creating the role.
- Log File Discovery. These settings allow Sumo Logic to automatically collect logs from the specified S3 bucket when an Amazon SNS message is received (highly recommended). Alternatively, an automatic scan interval for new log files can be configured.
- Advanced Options for Logs. For information about the optional advanced options you can configure, see AWS S3 Source.
- Click Save.
Step 2: Configure Carbon Black Cloudβ
In this step you configure Carbon Black Cloud to send log messages to an S3 bucket. For instructions, see Data Forwarders in VMware help.
Step 3: Verify ingestionβ
In this step, you verify that your logs are successfully making it into Cloud SIEM.
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings. - On the Log Mappings page search for Carbon Black Cloud and check under Record Volume.
- For a more granular look at the incoming Records, you can also search Sumo Logic for Carbon Black Cloud Records.