Update Zeek article

Author: jpipkin1

docs/cse/sensors/index.md

@@ -12,6 +12,12 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 In this section, we'll introduce the following concepts:
 
 <div className="box-wrapper" >
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/cse/sensors/ingest-zeek-logs"><img src={useBaseUrl('img/icons/logs.png')} alt="Document icon" width="40"/><h4>Ingest Zeek Logs</h4></a>
+  <p>Learn how to collect Zeek (Bro) logs and ingest them to Cloud SIEM.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/sensors/sensor-download-locations"><img src={useBaseUrl('img/icons/operations/sensor.png')} alt="Database icon" width="40"/><h4>Sensor Download Locations</h4></a>
@@ -36,10 +42,4 @@ In this section, we'll introduce the following concepts:
   <p>Learn how to collect Log Sensor status and data to support troubleshooting efforts.</p>
   </div>
 </div>
-<div className="box smallbox card">
-  <div className="container">
-  <a href="/docs/cse/sensors/ingest-zeek-logs"><img src={useBaseUrl('img/icons/logs.png')} alt="Document icon" width="40"/><h4>Ingest Zeek Logs</h4></a>
-  <p>Learn how to collect Zeek (Bro) logs and ingest them to Cloud SIEM.</p>
-  </div>
-</div>
 </div>

docs/cse/sensors/ingest-zeek-logs.md

@@ -12,46 +12,9 @@ This topic has instructions for ingesting Zeek logs into Cloud SIEM. 
 
 Cloud SIEM uses [Zeek](https://zeek.org/) (formerly known as Bro) for network visibility. Zeek is an open source network analysis framework that organizes packets into flows, decodes common protocols, performs file extraction, SSL certificate validation, OS fingerprinting and more. Zeek can be extended through plugins for additional detection capabilities.
 
-## Best collection method: Network Sensor
+## Supported collection method: Sumo Logic Source
 
-Sumo Logic recommends using Cloud SIEM’s Network Sensor to collect Zeek logs and upload them to an HTTP Source on a Sumo Logic Hosted Collector. This is far and away the preferred method: it ensures that supported Bro policies are enabled and that the supported Bro output format is configured. It also results in the creation of Cloud SIEM Records from the raw Zeek log messages. For instructions, see [Network Sensor Deployment Guide](/docs/cse/sensors/network-sensor-deployment-guide). 
-
-The Network Sensor extracts files observed over cleartext protocols that match selected MIME types. You can configure what types will be extracted using the [extracted_file_types](/docs/cse/sensors/network-sensor-deployment-guide) property in the Network Sensor’s configuration file, `trident-sensor.cfg`. By default the sensor will upload password-protected zip files and the following types of executables:
-
-* `application/x-dosexec`
-* `application/x-msdownload`
-* `application/x-msdos-program`
-
-:::note
-YARA [file analysis](/docs/cse/rules/import-yara-rules) is supported only for files extracted by the Network Sensor. If you use
-your own Zeek deployment and ingest logs using a Sumo Logic Source you cannot also upload extracted files. 
-:::
-
-### Filtering Zeek logs
-
-This section describes two methods you can use to filter the logs that the Network Sensor sends to Cloud SIEM.
-
-* You can configure a Berkeley Packet Filter (BPF) filter using the [filter](/docs/cse/sensors/network-sensor-deployment-guide) parameter in Network Sensor’s configuration file, `trident-sensor.cfg`. This is the most efficient filtering mechanism as it is performed before Network Sensor processing.
-
-    The value of the `filter` parameter is an expression that begins with `not`. This example expression ensures the that the Network Sensor won't process any traffic involving host `a.b.c.com` or host `d.e.f.com`:
-
-    `not ( host a.b.c.com ) and not ( host d.e.f.com )`
-
-    For information about BPF filter syntax, see https://biot.com/capstats/bpf.html.  
-     
-* You can also filter by Zeek log type using the [skipped_log_types](/docs/cse/sensors/network-sensor-deployment-guide) property in `trident-sensor.cfg`. The default value of `skipped_log_types` is:
-
-   ```
-   dpd,weird,syslog,pe,tunnel,communication,conn-summary,known_hosts,software,stdout.stderr,loaded_scripts,ntp
-   ```
-
-    You can add additional Zeek log types to the list to exclude them.
-
-The BPF filter is applied before `skipped_log_types`. So, given the example BPF filter above, if you add `dns` to the `skipped_log_types` value, you won't ingest logs related to traffic involving hosts `a.b.c.com` or `d.e.f.com`, and you won't ingest DNS data.
-
-## Alternative collection method: Sumo Logic Source 
-
-Although the Network Sensor is the preferred method for collecting Zeek logs, there is an alternative. If you already have a Zeek deployment, you can collect logs using a Sumo Logic Collector and Source.
+If you already have a Zeek deployment, you can collect logs using a Sumo Logic Collector and Source.
 
 :::note
 This method requires that your Zeek logs are in JSON format. 
@@ -60,7 +23,6 @@ This method requires that your Zeek logs are in JSON format. 
 ### Configure a Sumo Logic Source
 
 In this step, you configure a Sumo Logic Source on an Sumo Logic Installed Collector. Choose the appropriate Source type based on:
-
 * If you already have a method of forwarding Zeek logs in JSON format in Syslog format to a collector in your environment, you can use a Syslog Source to ingest the logs.
 * If you’re not set up to use Syslog, and have Zeek log files stored on a filesystem, you can use a Local File Source to ingest the logs.
 
@@ -141,3 +103,44 @@ Perform these steps for each of the FERs.
    1. **Scope**. Click **Specific Data**.
    1. **Parse Expression**. Enter the parse expression shown in the table above for the field the rule will extract.
 1. Click **Save**.<br/><img src={useBaseUrl('img/cse/example-fer.png')} alt="Example FER" style={{border: '1px solid gray'}} width="400"/>
+
+
+## Unsupported collection method: Network Sensor
+
+:::caution End-of-Life
+This section describes using the Cloud SIEM Network Sensor. The Network Sensor has reached end of life and is no longer supported. Instead, use Zeek. For more information, see [Supported collection method: Sumo Logic Source](#supported-collection-method-sumo-logic-source). 
+:::
+
+You can use Cloud SIEM’s Network Sensor to collect Zeek logs and upload them to an HTTP Source on a Sumo Logic Hosted Collector. This method ensures that supported Bro policies are enabled and that the supported Bro output format is configured. It also results in the creation of Cloud SIEM Records from the raw Zeek log messages. For instructions, see [Network Sensor Deployment Guide](/docs/cse/sensors/network-sensor-deployment-guide). 
+
+The Network Sensor extracts files observed over cleartext protocols that match selected MIME types. You can configure what types will be extracted using the [extracted_file_types](/docs/cse/sensors/network-sensor-deployment-guide) property in the Network Sensor’s configuration file, `trident-sensor.cfg`. By default the sensor will upload password-protected zip files and the following types of executables:
+
+* `application/x-dosexec`
+* `application/x-msdownload`
+* `application/x-msdos-program`
+
+:::note
+YARA [file analysis](/docs/cse/rules/import-yara-rules) is supported only for files extracted by the Network Sensor. If you use your own Zeek deployment and ingest logs using a Sumo Logic Source you can't also upload extracted files. 
+:::
+
+### Filtering Zeek logs
+
+This section describes two methods you can use to filter the logs that the Network Sensor sends to Cloud SIEM.
+
+* You can configure a Berkeley Packet Filter (BPF) filter using the [filter](/docs/cse/sensors/network-sensor-deployment-guide) parameter in Network Sensor’s configuration file, `trident-sensor.cfg`. This is the most efficient filtering mechanism as it is performed before Network Sensor processing.
+
+    The value of the `filter` parameter is an expression that begins with `not`. This example expression ensures the that the Network Sensor won't process any traffic involving host `a.b.c.com` or host `d.e.f.com`:
+
+    `not ( host a.b.c.com ) and not ( host d.e.f.com )`
+
+    For information about BPF filter syntax, see https://biot.com/capstats/bpf.html.  
+
+* You can also filter by Zeek log type using the [skipped_log_types](/docs/cse/sensors/network-sensor-deployment-guide) property in `trident-sensor.cfg`. The default value of `skipped_log_types` is:
+
+   ```
+   dpd,weird,syslog,pe,tunnel,communication,conn-summary,known_hosts,software,stdout.stderr,loaded_scripts,ntp
+   ```
+
+    You can add additional Zeek log types to the list to exclude them.
+
+The BPF filter is applied before `skipped_log_types`. So, given the example BPF filter above, if you add `dns` to the `skipped_log_types` value, you won't ingest logs related to traffic involving hosts `a.b.c.com` or `d.e.f.com`, and you won't ingest DNS data.

docs/cse/sensors/log-sensor-troubleshooting.md

@@ -4,8 +4,9 @@ title: Log Sensor Troubleshooting
 description: Learn how to collect Log Sensor status and data to support troubleshooting efforts.
 ---
 
-
+:::caution end-of-life
 The Cloud SIEM Log Sensor has reached end of life and is no longer supported. Please migrate to a Sumo Logic Hosted Collector or Installed Collector. For more information, see the [end of life notice](https://app.getbeamer.com/cloudsiementerprise/en/end-of-life-notice-_-cloud-siem-enterprise-sensors). 
+:::
 
 The Cloud SIEM Log Sensor collects log data and sends it to the legacy Cloud SIEM server. (The Log Sensor does not send log data to the Sumo Logic platform. Sumo Logic collectors serve that purpose.)
 

docs/cse/sensors/network-sensor-deployment-guide.md

@@ -6,6 +6,11 @@ description: Learn about Network Sensor deployment planning, standard sensor pla
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
+import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
+
+:::caution end-of-life
+<SensorEOL/>
+:::
 
 This section has instructions for deploying the Cloud SIEM Network Sensor. It covers deployment planning, standard sensor placement, sensor requirements, installation, general configuration, and helpful commands. 
 

docs/cse/sensors/network-sensor-troubleshooting.md

@@ -5,6 +5,11 @@ description: Learn how to troubleshoot problems with the Cloud SIEM Network Sens
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
+import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
+
+:::caution end-of-life
+<SensorEOL/>
+:::
 
 The Cloud SIEM Network Sensor is a flexible network security monitor that monitors IP networks and collects flow and protocol session data, building audit records of network communications. As with all network sensors, performance is a key consideration for proper operation and comprehensive data collection. The installation of the Cloud SIEM network sensor configures the sensor with reasonable defaults for many environments. For other environments, such as high throughput deployments, Sumo Logic advises the use of a supported 3rd party Bro/Zeek sensor offering or a custom Zeek cluster deployment.
 

docs/cse/sensors/sensor-download-locations.md

@@ -4,8 +4,14 @@ title: Sensor Download Locations
 description: The Cloud SIEM Network sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
 
-The Cloud SIEM Network sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment. Each Sumo Logic deployment has URLs used to download sensor software. If you are not sure which endpoint to use, see How can I determine which endpoint I should use?
+:::caution end-of-life
+<SensorEOL/>
+:::
+
+The Cloud SIEM Network Sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment. Each Sumo Logic deployment has URLs used to download sensor software. If you are not sure which endpoint to use, see How can I determine which endpoint I should use?
 
 ## Installing the Network sensor
 

docs/reuse/cloud-siem-network-sensor-eol.md

@@ -0,0 +1 @@
+This article describes using the Cloud SIEM Network Sensor. The Network Sensor has reached end of life and is no longer supported. Instead, use Zeek. For more information, see [Ingest Zeek Logs](/docs/cse/sensors/ingest-zeek-logs/). 

sidebars.ts

@@ -2799,11 +2799,11 @@ integrations: [
           collapsed: true,
           link: {type: 'doc', id: 'cse/sensors/index'},
           items: [
+            'cse/sensors/ingest-zeek-logs',
             'cse/sensors/sensor-download-locations',
             'cse/sensors/network-sensor-deployment-guide',
             'cse/sensors/network-sensor-troubleshooting',
             'cse/sensors/log-sensor-troubleshooting',
-            'cse/sensors/ingest-zeek-logs',
           ],
         },
         {