You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're excited to introduce the new Kaltura app for Sumo Logic. This app enables you to gain valuable insights into the critical aspects of your platform operations, such as total entries, user activity trends, and event distributions, helping you monitor, secure, and optimize your content management strategies effectively. [Learn more](/docs/integrations/saas-cloud/kaltura).
We're excited to announce the release of our new cloud-to-cloud source for Snowflake Logs. This source aims to collect the row data from the supported global tables (`QUERY_HISTORY`, `LOGIN_HISTORY`, `SESSIONS`, `GRANTS_TO_USERS`, `DATA_TRANSFER_HISTORY`, `STAGES`, and Custom Events) from the Snowflake platform and send them to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/snowflake-logs-source).
Copy file name to clipboardExpand all lines: docs/cse/get-started-with-cloud-siem/insight-generation-process.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,7 +64,7 @@ During the next step of the [record processing flow](/docs/cse/schema/record-pro
64
64
Which particular attribute an entity gets mapped to depends on the [field mappings](/docs/cse/schema/create-structured-log-mapping) in the log mapper for the message source. Given the example message above, “thedude” might be mapped to `user_username` and "185.35.135.245"
65
65
to `srcDevice_ip`.
66
66
67
-
## Rules have one or more On entity attributes
67
+
## Rules have one or more On Entity attributes
68
68
69
69
When you write a rule, you select one or more *On Entity* attributes in the **Then Create a Signal** area of the **Rules Editor**. Here is an example of an existing rule that has two On Entity attributes: `srcDevice_ip` and `dstDevice_ip`.
Copy file name to clipboardExpand all lines: docs/cse/ingestion/cse-ingestion-best-practices.md
+14-10Lines changed: 14 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,10 +7,10 @@ description: Learn how to send log messages collected by a Sumo Logic Source or
7
7
8
8
import useBaseUrl from '@docusaurus/useBaseUrl';
9
9
10
-
This topic has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records.
10
+
This article has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records.
11
11
12
12
:::note
13
-
Cloud SIEM must be enabled in your Sumo Logic account in order to send data from Sumo Logic to Cloud SIEM. If it isn’t, contact your Sumo Logic Technical Account Engineer or Sales Engineer.
13
+
[Cloud SIEM must be enabled in your Sumo Logic account](/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse/) in order to send data from Sumo Logic to Cloud SIEM. If it isn’t, contact your Sumo Logic Technical Account Engineer or Sales Engineer.
14
14
:::
15
15
16
16
The process consists of configuring a source or collector to forward messages to Cloud SIEM, and ensuring that the forwarded messages are correctly tagged with the information Cloud SIEM needs in order to map messages fields to record attributes. These are referred to as *mapping hints*, and include: Format, Vendor, Product, and an Event ID template.
@@ -23,19 +23,19 @@ You can only send log data that resides in the [Continuous data tier](/docs/mana
### Recommended methods to ingest data into Cloud SIEM
27
27
28
-
We recommend the following ingestion processes, starting with the most preferred:
28
+
We recommend the following ingestion methods, starting with the most preferred:
29
29
30
-
1.**Follow an ingestion guide**. The [Ingestion Guides](/docs/cse/ingestion) section of this help site provides specific collection and ingestion recommendations for many common products and services. An ingestion guide describes the easiest way to get data from a particular product into Cloud SIEM. When you’re ready to start using Cloud SIEM to monitor a new product, if there’s a Cloud SIEM ingestion guide for it, we recommend using it.
31
-
1.**Use a Cloud-to-Cloud (C2C) connector**. If you don’t see an Ingestion Guide for your data source, check to see if there is a C2C connector. It’s an easy method, because if you configure your C2C source to send logs to Cloud SIEM, it automatically tags messages it sends to Cloud SIEM with fields that contain the mapping hints that Cloud SIEM requires. <br/><br/>Most C2C connectors have a **Forward to SIEM** option in the configuration UI. If a C2C connector lacks that option, you can achieve the same effect by assigning a field named `_siemforward`, set to *true*, to the connector. <br/><br/>For information about what C2C sources are available, see Cloud-to-Cloud Integration Framework.
30
+
1.**Use a Cloud-to-Cloud (C2C) connector**. It’s an easy method, because if you configure your C2C source to send logs to Cloud SIEM, it automatically tags messages it sends to Cloud SIEM with fields that contain the mapping hints that Cloud SIEM requires. <br/><br/>Most C2C connectors have a [**Forward to SIEM** option](/docs/c2c/info/#metadata-fields) in the configuration UI. If a C2C connector lacks that option, you can achieve the same effect by assigning a field named `_siemforward`, set to *true*, to the connector. <br/><br/>For information about what C2C sources are available, see [Cloud-to-Cloud Integration Framework Sources](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/).
32
31
1.**Use a Sumo Logic Source and parser**. If there isn’t a C2C connector for your data source, your next best option is to use a Sumo Logic Source (running on an Installed Collector or a Hosted Collector, depending on the data source)—and a Sumo Logic parser, if we have one for the data source.
33
32
34
-
Check if there’s a parser for your data source. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Parsers**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Parsers**. You can also click the **Go To...** menu at the top of the screen and select **Parsers**. If there is a parser for your data source, but you find it doesn’t completely meet your needs–for instance if the parser doesn’t support the particular log format you use–consider customizing the parser with a [local configuration](/docs/cse/schema/parser-editor#create-a-local-configuration-for-a-system-parser). If that’s not practical, you can submit a request for a new parser by filing a ticket at [https://support.sumologic.com](https://support.sumologic.com/).
33
+
Check if there’s a parser for your data source. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Parsers**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Parsers**. You can also click the **Go To...** menu at the top of the screen and select **Parsers**.
34
+
35
+
If there is a parser for your data source, but you find it doesn’t completely meet your needs–for instance if the parser doesn’t support the particular log format you use–consider customizing the parser with a [local configuration](/docs/cse/schema/parser-editor#create-a-local-configuration-for-a-system-parser). If that’s not practical, you can submit a request for a new parser by filing a ticket at [https://support.sumologic.com](https://support.sumologic.com/).
35
36
36
-
When you forward logs to Cloud SIEM for parser processing, there are two bits of important configuration:
37
-
38
-
1. Configure the source to forward logs. To configure an HTTP source to send log messages to Cloud SIEM, click the **SIEM Processing** checkbox. You can configure other source types to send data to Cloud SIEM by assigning a field named `_siemforward`, set to *true*, to the source. For example:
37
+
When you forward logs to Cloud SIEM for parser processing, there are two bits of important configuration:
38
+
1. Configure the source to forward logs. To configure an HTTP source to send log messages to Cloud SIEM, click the [**SIEM Processing** checkbox](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source). You can configure other source types to send data to Cloud SIEM by assigning a field named `_siemforward`, set to *true*, to the source. For example:
39
39
40
40
```
41
41
_siemforward=true
@@ -53,3 +53,7 @@ We recommend the following ingestion processes, starting with the most preferred
53
53
You can get the path to a parser on the **Parsers** page in Sumo Logic. Click the three-dot kebab menu in the row for a parser, and select **Copy Path**.
54
54
55
55
1. **Use a Sumo Logic Source and Cloud SIEM Ingest mapping**. This is the least recommended method, as you have to manually configure the mapping hints in an ingestion mapping. For more information, see [Configure a Sumo Logic Ingest Mapping](/docs/cse/ingestion/sumo-logic-ingest-mapping/).
56
+
57
+
:::tip
58
+
See [Example Ingestion Sources for Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/) for specific collection and ingestion recommendations for many common products and services.
0 commit comments