Collect Metadata with Lumu VA

Collect Metadata with Lumu VA

The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. 

Collecting metadata other than DNS requests is important since some attacks avoid domain resolution, leaving traces of their contacts in the access logs of firewalls, proxies, etc. This option is also available for accommodating networks where DNS configuration is not possible. In this scenario, companies can monitor IP traffic with the Lumu Virtual Appliance acting as a network metadata collector on your enterprise perimeter.

This approach ensures compromise visibility without having to make major changes, as almost every cybersecurity vendor solution can forward metadata externally without impacting their operation.

Requirements

  1. Admin access and prerequisites to configure your vendor solution.
  2. The most recent version of the Lumu Virtual Appliance installed.
These are the general steps you should follow to configure the vendor solutions to send all metadata such as firewall and proxy logs to Lumu:
Steps to configure a VA collector

Deploy and Set Up Lumu VA

All detailed steps to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

  1. Deploy Virtual Appliances
  2. Configure Virtual Appliances and VA collectors

Set up a Lumu VA Log Collector

Go to the Lumu Virtual Appliance and refresh the VA collectors settings by running the command lumu-appliance collectors refresh. If the appliance is running, it should be stopped for setting up collectors.

Example of options when selecting a collectorExample of options when selecting a collector
Select the option that refers to the collection you want to deploy and inform the requested data.
Example of screen when setting up a collectorExample of screen when setting up a collector
The following are some examples of data you can be requested to input in this process:
  1. Protocol type: you can select between TCP and UDP according to your infrastructure and your vendor solution.
  2. Port number: provide a number between 1024 and 65535, inclusive.
  3. Timezone: The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.

Configure Vendor Solution to Send Metadata to Lumu VA

Once you have installed and configured a Lumu Virtual Appliance with the respective collector, the next step is to set up the vendor solution to forward metadata to Lumu. Please consult the vendor documentation on instructions to set up or forward logs to the Lumu Virtual Appliance.

You can find documentation from Lumu with more specific guidance and links to the following vendors:

  1. Collect DNS packets with Lumu VA and Packetbeat
  2. Collect DNS queries with Lumu VA and Infoblox
  3. Collect Firewall Metadata with Lumu VA and Check Point
  4. Collect Firewall metadata with Lumu VA and Cisco Meraki
  5. Collect Firewall metadata with Lumu VA and Palo Alto NGFW
  6. Collect Firewall metadata with Lumu VA and WatchGuard
  7. Collect Firewall metadata with Lumu VA and SonicWall
  8. Collect Firewall metadata with Lumu VA and FortiGate

        • Related Articles

        • Lumu Virtual Appliance DNS Packets Collectors Catalog

          Before attempting this type of implementation, we strongly suggest checking out our Lumu Agent for Windows Server , which can act as a DNS server collector and covers the vast majority of the scenarios of this VA implementation (Windows Server 2016 ...
        • Create VA Collectors

          The Lumu Virtual Appliance (VA) offers the option to create VA Collectors, a seamless way to collect the network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on the network operation. In this quick guide, ...
        • Lumu Virtual Appliance DNS Queries Collectors Catalog

          In the following table, you will find a complete list of DNS Queries Collectors available for deployment as part of Lumu's Virtual Appliances. Collector Logo Collect DNS Queries with Lumu VA and Infoblox Collect DNS Queries with Lumu VA and Citrix ...
        • Lumu Virtual Appliance Collectors

          To get started with Lumu Virtual Appliances, consult our Introduction to Lumu Virtual Appliances article. The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution that collects the network metadata of your entire ...
        • Deploy Virtual Appliances

          To get started and review requirements for Lumu Virtual Appliances, consult our document Introduction to Virtual Appliances. Follow these simple steps to create and download a pre-configured Virtual Appliance and start illuminating threats and ...