Collect Metadata with Lumu VA and Splunk

Collect Metadata with Lumu VA and Splunk

The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata collected by Security Information and Event Management (SIEM) technologies into the Lumu cloud with the lowest impact on the network operation. This document shows how to configure Splunk to sending metadata to the Lumu Virtual Appliances.

Network diagram with Splunk integratedNetwork diagram with Splunk integrated

Requirements

  1. Admin access to forwarders in Splunk’s deployment through CLI.
  2. Have the most recent version of the Lumu Virtual Appliance installed.
  3. Network connectivity between Splunk’s forwarder and Lumu Virtual Appliance.
This document applies to Splunk Enterprise version 8.1.3 and Splunk Cloud 8.0.2006.

Deploy and Set Up Lumu VA

All the detailed steps and guidance to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

  1. Deploy Virtual Appliances
  2. Configure Virtual Appliances and set up collector

Set up a Lumu VA Collector

Once the Collector is created on the Lumu Portal, you must activate it on the VA. For this, go to the Lumu VA console and run the following command:
applianceadmin@lva:~$ lumu-appliance collectors refresh

If the appliance is running, it should be stopped for setting up collectors. Follow the instructions and inform the parameters required according to your collector type.

The following are some examples of data you can be requested to input in this process:

  1. Protocol type : you can select between TCP and UDP according to your infrastructure and your vendor solution.
  2. Port number : provide a number between 1024 and 65535, inclusive.
  3. Timezone : The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.

Configure Splunk to Send Metadata to Lumu VA

This integration method allows sending data that has been selected based on Splunk’s source type of forwarder (Universal or Heavy) to the Lumu Virtual Appliance
To allow Splunk’s forwarder to forward events from specific source types, you need to create or modify the files props.conf , transforms.conf , and outputs.conf that should be located in the folder <splunk_home>/etc/system/local/. These files must have reading permissions for the OS user that has access to Splunk.

This is an example of the content of the file props.conf:
  1. ## Splunk’s configuration for forwarding events to Lumu VA [<splunk_source_type>] TRANSFORMS-<splunk_tranform_name> = <splunk_transform_name>
File parameters:
  1. <splunk_source_type> : Splunk’s source type. This must match with the configured source type on the inputs.conf file.
  1. <splunk_transform_name> : Unique name given to specific transform stanza. Used on transforms.conf file.
This is an example of the content of the file transforms.conf :
  1. [] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT =
File parameters:
  1. <splunk_transform_name> : Unique name given to a specific transform stanza. Used on transforms.conf.
  1. <splunk_forwarding_stanza> : Forwarding stanza. References the same stanza created in outputs.conf.
This is an example of the content of the file outputs.conf:
  1. ## Splunk’s configuration for forwarding events to Lumu VA [syslog:] server = : # The following line is required to avoid Splunk’s syslog handler to re-encapsulate syslog traffic syslogSourceType = sourcetype::
File parameters:
  1. <splunk_forwarding_stanza> : Unique name given to specific forwarding configuration.
  1. <lumu_va_ip>:<lumu_va_port> : Lumu Virtual Appliance’s IP address and assigned port to configured Collector. E.g. 10.1.1.197:9997
  1. <splunk_source_type> : Splunk’s source type pattern. E.g. sourcetype::apache_common
After creating the files, restart the Splunk related service on the forwarder. When the service finishes restarting, the forwarder will be able to send logs to the Lumu Virtual Appliance.

Configure the source

These are samples of the configuration of different security suites that can be used in the integration of Splunk with  the Lumu Virtual Appliance.

These files must be located in the folder <splunk_home>/etc/system/local/ and they must have reading permissions for the OS user that has access to Splunk.

Fortigate traffic

Configuration variables for Lumu Virtual Appliance additional collectors:
Type:  Firewall Log

props.conf
  1. ## Override routing for forwarding [fortigate_log] TRANSFORMS-fortigate_traffic_to_lumu = fortigate_traffic_to_lumu
Parameters:
  1. fortigate_log is selected based on the source type configured in the input
  1. fortigate_traffic_to_lumu is the suggested name for the transformation
transforms.conf
  1. ## Override transformations for routing [fortigate_traffic_to_lumu] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = fortigate_traffic_to_lumu
Parameters:
  1. fortigate_traffic_to_lumu is the name of the transformation referenced in props.conf.
  1. fortigate_traffic_to_lumu is the suggested name for the outputs.conf syslog stanza.
outputs.conf
  1. ## Overrides output to syslog [syslog:fortigate_traffic_to_lumu] server = 10.10.1.11:1514 syslogSourceType = sourcetype::fortigate_traffic
Parameters:
  1. fortigate_traffic_to_lumu is the value of FORMAT variable in transforms.conf.
  1. server is the value configured as IP and the port where the collector was configured in the Lumu Virtual Appliance.
  1. sourcetype::fortigate_traffic is the value configured as Splunk’s source type to be sent to the Lumu Virtual Appliance.
Palo Alto traffic

For specific Splunk related configuration, please refer to the article Palo Alto Networks App for Splunk .

Configuration variables for  the   Lumu Virtual Appliance additional collectors:
Type:  Firewall Log
props.conf
  1. ## Override routing for forwarding [pan:firewall] TRANSFORMS-paloalto_traffic_to_lumu = paloalto_traffic_to_lumu
Parameters:
  1. pan:firewall is selected based on the source type configured in the input
  1. paloalto_traffic_to_lumu is the suggested name for the transformation
transforms.conf
  1. [paloalto_traffic_to_lumu] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = paloalto_traffic_to_lumu
Parameters:
  1. paloalto_traffic_to_lumu is the name of the transformation referenced in props.conf.
  1. paloalto_traffic_to_lumu is the suggested name of the outputs.conf syslog stanza.
outputs.conf
  1. ## Overrides output to syslog [syslog:paloalto_traffic_to_lumu] server = 10.10.1.11:1515 syslogSourceType = sourcetype::pan:traffic
Parameters:
  1. paloalto_traffic_to_lumu is the value configured as the FORMAT variable in the transforms.conf file.
  1. server is the value configured as the IP and the port where the collector was configured in the Lumu Virtual Appliance.
  1. sourcetype::pan:traffic is the value configured as Splunk’s source type to be sent to the Lumu Virtual Appliance.
        • Related Articles

        • Collect Firewall Metadata with Lumu VA and Palo Alto NGFW

          The Lumu Virtual Appliance (VA) offers the option to create Collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation.  In cases where attacks avoid ...
        • Virtual Appliance Collectors

          The Lumu Virtual Appliance (VA) offers the option to create VA Collectors, a seamless way to collect the network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on the network operation. In this quick guide, ...
        • Collect Metadata with Lumu VA

          The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation.  Collecting metadata other than ...
        • Collect Firewall metadata with Lumu VA and FortiGate

          The Lumu Virtual Appliance (VA) offers the option to create Collectors, a seamless way to integrate with network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on the network operation. In cases where the ...
        • Deploy Virtual Appliances

          The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution running Ubuntu that collects the network metadata of your entire enterprise and forwards it to the Lumu cloud with the lowest impact on the network operation. ...