Skip to main content

Corelight Zeek - Cloud SIEM

This section has instructions for collecting Corelight Zeek log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.

These instructions are for Corelight Zeek logs sent as JSON over syslog.

Step 1: Configure collection

In this step, you configure a Syslog Source to collect Corelight Zeek log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to Configure a Syslog Source below. Otherwise, create a new collector as described in Configure an Installed Collector below, and then create the Syslog Source on the collector.

Configure an Installed Collector

  1. Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
    New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection.
  2. Click Add Collector.
  3. Click Installed Collector.
  4. The Add Installed Collector popup appears.
  5. Download the appropriate collector for your operating system.
  6. Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
  7. Once the collector is installed, confirm it is available on the Collection page and select Edit.
  8. The Edit Collector popup appears.
    Edit collector
  9. Name. Provide a Name for the Collector.
  10. Description. (Optional)
  11. Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory
  12. Fields. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
  13. Click Save.
note

It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.

Configure a Syslog Source

  1. Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
    New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection.
  2. Navigate to the Installed Collector where you want to create the source.
  3. On the Collectors page, click Add Source next to an Installed Collector.
  4. Select Syslog
  5. The page refreshes.
    Syslog source
  6. Name. Enter a name for the source. 
  7. Description. (Optional) 
  8. Protocol. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see Choosing TCP or UDP on the Syslog Source page.
  9. Port. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
  10. Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory. Make a note of the source category. You’ll supply it in Step 2 below.
  11. Fields. If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true.
  12. Click Save.

Step 2: Configure Corelight Zeek

In this step you configure Zeek to send log messages to the Sumo Logic platform. For instructions, see Corelight JSON Streaming documentation.

Step 3: Cloud SIEM Ingest Configuration

In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in Step 1. The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category. 

  1. Classic UI. In the top menu select Configuration, and then and under Integrations select Sumo Logic.
    New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Ingest Mappings. You can also click the Go To... menu at the top of the screen and select Ingest Mappings.
  2. On the Ingest Mappings tab, click + Add Ingest Mapping.
  3. On the Add Ingest Mapping popup:
    1. Source Category. Enter the category you assigned to the HTTP Source or Hosted Collector in Step 1
    2. Format. Enter Bro/Zeek JSON.  
    3. Event ID. {_path}.
      Corelight edit mappings
  4. Click Create to save the mapping.

Step 4: Verify Ingestion

In this step, you verify that your logs are successfully making it into Cloud SIEM. 

  1. Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
    New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings.
  2. On the Log Mappings tab search for "Zeek" and check the Records columns. 
    Corelight record volume
  3. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records.
    Corelight search
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.