Skip to main content

Ingest Corelight Zeek Data into Cloud SIEM

To ingest Corelight Zeek data into Cloud SIEM:

  1. Configure a Syslog source on a collector. When you configure the source, do the following:
    1. In Source Category, enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory. Make a note of the source category. You’ll supply it below.
    2. Click the +Add Field link, and add a field whose name is _siemForward and value is true. This will ensure all logs for this source are forwarded to Cloud SIEM.
  2. Configure a Sumo Logic ingest mapping in Cloud SIEM for the source category assigned to the source you configured above. The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category. 
    1. Classic UI. In the top Cloud SIEM menu select Configuration, and then and under Integrations select Sumo Logic.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Ingest Mappings. You can also click the Go To... menu at the top of the screen and select Ingest Mappings.
    2. On the Ingest Mappings tab, click + Add Ingest Mapping.
    3. On the Add Ingest Mapping popup:
      1. Source Category. Enter the category you assigned to the source above. 
      2. Format. Enter Bro/Zeek JSON.  
      3. Event ID. {_path}.
        Corelight edit mappings
    4. Click Save to save the mapping.
  3. To verify that your logs are successfully making it into Cloud SIEM:
    1. Classic UI. In the top Cloud SIEM menu select Configuration, and then under Incoming Data select Log Mappings.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings.
    2. On the Log Mappings tab search for "Zeek" and check the Records columns. 
      Corelight record volume
    3. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records:
      _index=sec_record* and metadata_product = "Zeek"
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.