The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata collected by Security Information and Event Management (SIEM) technologies into the Lumu cloud with the lowest impact on the network operation. This document shows how to configure Splunk to sending metadata to the Lumu Virtual Appliances.
Requirements
-
Admin access to forwarders in Splunk’s deployment through CLI.
-
Have the most recent version of the Lumu Virtual Appliance installed.
-
Network connectivity between Splunk’s forwarder and Lumu Virtual Appliance.
This document applies to Splunk Enterprise version 8.1.3 and Splunk Cloud 8.0.2006.
Set up a Lumu VA Collector
Once the Collector is created on the Lumu Portal, you must activate it on the VA. For this, go to the Lumu VA console and run the following command:
applianceadmin@lva:~$ lumu-appliance collectors refresh
If the appliance is running, it should be stopped for setting up collectors. Follow the instructions and inform the parameters required according to your collector type.
The following are some examples of data you can be requested to input in this process:
- Protocol type : you can select between TCP and UDP according to your infrastructure and your vendor solution.
- Port number : provide a number between 1024 and 65535, inclusive.
- Timezone : The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.
This integration method allows sending data that has been selected based on Splunk’s source type of forwarder (Universal or Heavy) to the Lumu Virtual Appliance
To allow Splunk’s forwarder to forward events from specific source types, you need to create or modify the files
props.conf
,
transforms.conf
, and
outputs.conf
that should be located in the folder <splunk_home>/etc/system/local/. These files must have reading permissions for the OS user that has access to Splunk.
This is an example of the content of the file props.conf:
- ## Splunk’s configuration for forwarding events to Lumu VA
[<splunk_source_type>]
TRANSFORMS-<splunk_tranform_name> = <splunk_transform_name>
File parameters:
-
<splunk_source_type>
: Splunk’s source type. This must match with the configured source type on the inputs.conf file.
-
<splunk_transform_name>
: Unique name given to specific transform stanza. Used on transforms.conf file.
This is an example of the content of the file
transforms.conf
:
- []
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT =
File parameters:
-
<splunk_transform_name>
: Unique name given to a specific transform stanza. Used on transforms.conf.
-
<splunk_forwarding_stanza>
: Forwarding stanza. References the same stanza created in outputs.conf.
This is an example of the content of the file outputs.conf:
- ## Splunk’s configuration for forwarding events to Lumu VA
[syslog:]
server = :
# The following line is required to avoid Splunk’s syslog handler to re-encapsulate syslog traffic
syslogSourceType = sourcetype::
File parameters:
-
<splunk_forwarding_stanza>
: Unique name given to specific forwarding configuration.
-
<lumu_va_ip>:<lumu_va_port>
: Lumu Virtual Appliance’s IP address and assigned port to configured Collector. E.g. 10.1.1.197:9997
-
<splunk_source_type>
: Splunk’s source type pattern. E.g. sourcetype::apache_common
After creating the files, restart the Splunk related service on the forwarder. When the service finishes restarting, the forwarder will be able to send logs to the Lumu Virtual Appliance.
These are samples of the configuration of different security suites that can be used in the integration of Splunk with
the Lumu Virtual Appliance.
These files must be located in the folder
<splunk_home>/etc/system/local/
and they must have reading permissions for the OS user that has access to Splunk.
Fortigate traffic
Configuration variables for Lumu Virtual Appliance additional collectors:
Type:
Firewall Log
props.conf
- ## Override routing for forwarding
[fortigate_log]
TRANSFORMS-fortigate_traffic_to_lumu = fortigate_traffic_to_lumu
Parameters:
-
fortigate_log
is selected based on the source type configured in the input
-
fortigate_traffic_to_lumu
is the suggested name for the transformation
transforms.conf
- ## Override transformations for routing
[fortigate_traffic_to_lumu]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = fortigate_traffic_to_lumu
Parameters:
-
fortigate_traffic_to_lumu
is the name of the transformation referenced in props.conf.
-
fortigate_traffic_to_lumu
is the suggested name for the outputs.conf syslog stanza.
outputs.conf
- ## Overrides output to syslog
[syslog:fortigate_traffic_to_lumu]
server = 10.10.1.11:1514
syslogSourceType = sourcetype::fortigate_traffic
Parameters:
-
fortigate_traffic_to_lumu
is the value of FORMAT variable in transforms.conf.
-
server
is the value configured as IP and the port where the collector was configured in the Lumu Virtual Appliance.
-
sourcetype::fortigate_traffic
is the value configured as Splunk’s source type to be sent to the Lumu Virtual Appliance.
Palo Alto traffic
Configuration variables for
the
Lumu Virtual Appliance additional collectors:
Type:
Firewall Log
props.conf
- ## Override routing for forwarding
[pan:firewall]
TRANSFORMS-paloalto_traffic_to_lumu = paloalto_traffic_to_lumu
Parameters:
-
pan:firewall
is selected based on the source type configured in the input
-
paloalto_traffic_to_lumu
is the suggested name for the transformation
transforms.conf
- [paloalto_traffic_to_lumu]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = paloalto_traffic_to_lumu
Parameters:
-
paloalto_traffic_to_lumu
is the name of the transformation referenced in props.conf.
-
paloalto_traffic_to_lumu
is the suggested name of the outputs.conf syslog stanza.
outputs.conf
- ## Overrides output to syslog
[syslog:paloalto_traffic_to_lumu]
server = 10.10.1.11:1515
syslogSourceType = sourcetype::pan:traffic
Parameters:
-
paloalto_traffic_to_lumu
is the value configured as the FORMAT variable in the transforms.conf file.
-
server
is the value configured as the IP and the port where the collector was configured in the Lumu Virtual Appliance.
-
sourcetype::pan:traffic
is the value configured as Splunk’s source type to be sent to the Lumu Virtual Appliance.