Microsoft Windows - Cloud SIEM
Step 1: Configure collection​
In this step, you configure a Local Windows Event Log Source to collect Microsoft Windows Event Log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to Configure a Local Windows Event Log Source below. Otherwise, create a new collector as described in Configure an Installed collector below, and then create the Local Windows Event Log Source on the collector.
Configure an Installed Collector​
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - Click Add Collector.
- Click Installed Collector.
- The Add Installed Collector popup appears.
- Download the appropriate collector for your operating system.
- Install the collector. For instructions for your preferred operating system and method of installation, see Installed Collectors.
- Once the collector is installed, confirm it is available on the Collection page and select Edit.
- The Edit Collector popup appears.
- Name. Provide a Name for the Collector.
- Description. (Optional)
- Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. - Fields.Â
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM. - If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the +Add Field link, and add a field whose name is
_parser
with the value /Parsers/System/Microsoft/Windows-JSON. This will cause all sources on the collector to use the specified parser.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
Configure a Local Windows Event Log Source​
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - Navigate to the Installed Collector where you want to create the source.
- Click Add Source next to the Installed Collector.
- Select Windows Event Log.Â
- The page refreshes.
- Name. Enter a name for the source.Â
- Description. (Optional)Â
- Source Host. (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called
_sourceHost
. - Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. - Fields.Â
- If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. - If you have not configured the Installed Collector to parse all sources in the collector with the same parser, click the +Add Field link, and add a field whose name is
_parser
with the value /Parsers/System/Microsoft/Windows-JSON.
- If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
- Event Format. Select Collect using JSON format.
- Windows Event Types. Select the desired event types. You can also specify Custom Event Channels in the box below.
- Event Collection Level. Select Concise Message.
- Security Identifier. You may specify how you want the Security Identifier (SID) to appear in the log message, Username Only is the default option.
- Collection should begin. Specify when you want the log collection to start.
note
If you set Collection should begin to a collection time that overlaps with data that was previously ingested on a source, it may result in duplicated data to be ingested into Sumo Logic.
- Click Save.
Step 2: Verify ingestion​
In this step, you verify that your logs are successfully making it into Cloud SIEM.Â
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings. - On the Log Mappings page search for "Windows" and check under Record Volume.Â
- For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Windows security records.