Collect Metadata with Lumu VA

Collect Metadata with Lumu VA

The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. 

Collecting metadata other than DNS requests is important since some attacks avoid domain resolution, leaving traces of their contacts in the access logs of firewalls, proxies, etc. This option is also available for accommodating networks where DNS configuration is not possible. In this scenario, companies can monitor IP traffic with the Lumu Virtual Appliance acting as a network metadata collector on your enterprise perimeter.

This approach ensures compromise visibility without having to make major changes, as almost every cybersecurity vendor solution can forward metadata externally without impacting their operation.

Network diagram with Lumu VA for metadata collectionNetwork diagram with Lumu VA for metadata collection

Requirements

  1. Admin access and prerequisites to configure your vendor solution.
  2. The most recent version of the Lumu Virtual Appliance installed.
These are the general steps you should follow to configure the vendor solutions to send all metadata such as firewall and proxy logs to Lumu:
Steps to configure a VA collector

Deploy and Set Up Lumu VA

All detailed steps to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

  1. Deploy Virtual Appliances
  2. Configure Virtual Appliances and VA collectors

Set up a Lumu VA Log Collector

Go to the Lumu Virtual Appliance and refresh the VA collectors settings by running the command lumu-appliance collectors refresh. If the appliance is running, it should be stopped for setting up collectors.

Example of options when selecting a collectorExample of options when selecting a collector
Select the option that refers to the collection you want to deploy and inform the requested data.
Example of screen when setting up a collectorExample of screen when setting up a collector
The following are some examples of data you can be requested to input in this process:
  1. Protocol type: you can select between TCP and UDP according to your infrastructure and your vendor solution.
  2. Port number: provide a number between 1024 and 65535, inclusive.
  3. Timezone: The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.

Configure Vendor Solution to Send Metadata to Lumu VA

Once you have installed and configured a Lumu Virtual Appliance with the respective collector, the next step is to set up the vendor solution to forward metadata to Lumu. Please consult the vendor documentation on instructions to set up or forward logs to the Lumu Virtual Appliance.

You can find documentation from Lumu with more specific guidance and links to the following vendors:

  1. Collect DNS packets with Lumu VA and Packetbeat
  2. Collect DNS queries with Lumu VA and Infoblox
  3. Collect Firewall Metadata with Lumu VA and Check Point
  4. Collect Firewall metadata with Lumu VA and Cisco Meraki
  5. Collect Firewall metadata with Lumu VA and Palo Alto NGFW
  6. Collect Firewall metadata with Lumu VA and WatchGuard
  7. Collect Firewall metadata with Lumu VA and SonicWall
  8. Collect Firewall metadata with Lumu VA and FortiGate

        • Related Articles

        • Virtual Appliance Collectors

          The Lumu Virtual Appliance (VA) offers the option to create VA Collectors, a seamless way to collect the network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on the network operation. In this quick guide, ...
        • Deploy Virtual Appliances

          The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution running Ubuntu that collects the network metadata of your entire enterprise and forwards it to the Lumu cloud with the lowest impact on the network operation. ...
        • Manage Virtual Appliances and Collectors

          You have the option to manage Lumu Virtual Appliances (VA) directly from the Lumu Portal. The virtual appliance allows for full visibility into the compromises inside your network and is available for the most commom hypervisors. This document lists ...
        • Collect Firewall Metadata with Lumu VA and SonicWall

          The Lumu Virtual Appliance (VA) offers the option to create Collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. In cases where attacks avoid ...
        • Collect Firewall metadata with Lumu VA and WatchGuard

          The Lumu Virtual Appliance  (VA) offers the option to create Collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation.  In cases where attacks avoid ...