|
1 | 1 | --- |
2 | 2 | id: aws-application-load-balancer |
3 | | -title: AWS Application Load Balancer - Cloud SIEM |
| 3 | +title: Ingest AWS Application Load Balancer Data into Cloud SIEM |
4 | 4 | sidebar_label: AWS Application Load Balancer |
5 | 5 | description: Configure collection and ingestion of AWS Application Load Balancer (ALB) log messages from an S3 bucket to be parsed by Cloud SIEM's AWS ALB system parser. |
6 | 6 | --- |
7 | 7 |
|
8 | 8 | import useBaseUrl from '@docusaurus/useBaseUrl'; |
9 | 9 |
|
10 | | -This section has instructions for collecting AWS Application Load Balancer log messages via AWS S3 and sending them to Sumo Logic to be ingested by Cloud SIEM. |
11 | | - |
12 | | -Sumo Logic Cloud SIEM supports the default AWS Application Load Balancer log format which includes all version 2 fields. See [AWS Application Load Balancer log records documentation](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields) for more details. |
13 | | - |
14 | | -## Step 1: Enable AWS Application Load Balancer Logs |
15 | | - |
16 | | -By default, ALB logging is not enabled in your organization's AWS account. You can find additional assistance for enabling logging in [AWS Documentation](http://aws.amazon.com/documentation/elastic-load-balancing/). |
17 | | - |
18 | | -1. In the AWS Management Console, choose **EC2 > Load Balancers**. |
19 | | -1. Under **Access Logs**, click **Edit**. |
20 | | -1. In the **Configure Access Logs** dialog box, click **Enable Access Logs**, then choose an Interval and S3 bucket. This is the S3 bucket that will upload logs to Sumo Logic. |
21 | | -1. Click **Save**. |
22 | | -1. Ensure permission is granted for an AWS Source. |
23 | | - |
24 | | -## Step 2: Configure Collection |
25 | | - |
26 | | -In this step, you configure an HTTP Source to collect AWS ALB log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an AWS S3 Source](#configure-an-aws-s3-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector. |
27 | | - |
28 | | -### Configure a hosted collector |
29 | | - |
30 | | -1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. |
31 | | -1. Click **Add Collector**. |
32 | | -1. Click **Hosted Collector.** |
33 | | -1. The **Add Hosted Collector ** popup appears.< br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/> |
34 | | -1. **Name**. Provide a Name for the Collector. |
35 | | -1. **Description**. (Optional) |
36 | | -1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. |
37 | | -1. **Fields**. |
38 | | - 1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM. |
39 | | - 1. If all sources in this collector will be AWS ALB sources, add an additional field with key `_parser` and value */Parsers/System/AWS/AWS ALB*. |
40 | | - |
41 | | -:::note |
42 | | -It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section. |
43 | | -::: |
44 | | - |
45 | | -### Configure an AWS S3 Source |
46 | | - |
47 | | -1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. |
48 | | -1. Navigate to the Hosted Collector where you want to create the source. |
49 | | -1. On the **Collectors** page, click **Add Source** next to a Hosted Collector. |
50 | | -1. Select Amazon S3. |
51 | | -1. The page refreshes.< br/><img src={useBaseUrl('img/cse/s3-source.png')} alt="S3 source" style={{border: '1px solid gray'}} width="500"/> |
52 | | -1. **Name**. Enter a name for the source. |
53 | | -1. **Description**. (Optional) |
54 | | -1. **S3 Region**. Choose the AWS Region the S3 bucket resides in. |
55 | | -1. **Bucket Name**. The name of your organizations S3 bucket as it appears in AWS |
56 | | -1. **Path Expression**. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files. |
57 | | -1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. |
58 | | -1. **Fields**. |
59 | | - 1. If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM. |
60 | | - 1. Add another field named `_parser` with value */Parsers/System/AWS/AWS ALB*. |
61 | | -1. **AWS Access**. For AWS Access you have two Access Method options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred. Note that Sumo Logic access to AWS (instructions are provided above in [Step 1](#step-1-enable-aws-application-load-balancer-logs)) is a prerequisite for role-based access |
62 | | - * **Role-based access **. Enter the Role ARN that was provided by AWS after creating the role.< br/><img src={useBaseUrl('img/cse/role-arn.png')} alt="Role ARN" style={{border: '1px solid gray'}} width="500"/> |
63 | | - * **Key access**. Enter the Access Key ID and Secret Access Key. See [AWS Access Key ID](http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html#RequestWithSTS) and [AWS Secret Access Key](https://aws.amazon.com/iam/) for details. |
64 | | -1. In the **Advanced Options for Logs** section, uncheck the **Detect |
65 | | - messages spanning multiple lines** option. |
66 | | -1. Click **Save**. |
67 | | - |
68 | | -## Step 3: Verify ingestion |
69 | | - |
70 | | -In this step, you verify that your logs are successfully making it into |
71 | | -Cloud SIEM. |
72 | | - |
73 | | -1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. |
74 | | -1. On the **Log Mappings** tab search for "AWS Application Load Balancer" and check the **Records** columns. |
75 | | -1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS ALB Flow security records.< br/><img src={useBaseUrl('img/cse/AWS-elb-search.png')} alt="AWS ELB search" style={{border: '1px solid gray'}} width="600"/> |
| 10 | +To ingest AWS Application Load Balancer data into Cloud SIEM: |
| 11 | +1. [Enable ELB logging in AWS](/docs/send-data/hosted-collectors/amazon-aws/aws-elastic-load-balancing-source/#enable-elb-logging-in-aws). |
| 12 | +1. [Create an Amazon S3 source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#create-an-amazons3-source) on a collector and do the following: |
| 13 | + 1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM. |
| 14 | + 1. Add another field named `_parser` with value */Parsers/System/AWS/AWS ALB*. |
| 15 | +1. To verify that your logs are successfully making it into Cloud SIEM: |
| 16 | + 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. |
| 17 | + 1. On the **Log Mappings** tab search for "AWS Application Load Balancer" and check the **Records** columns. |
| 18 | + 1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS ALB Flow security records.< br/><img src={useBaseUrl('img/cse/AWS-elb-search.png')} alt="AWS ELB search" style={{border: '1px solid gray'}} width="600"/> |
0 commit comments