To receive Lumu logs in Sumo Logic, you need to add a new data source. To do so, follow these steps:
1. Using your Sumo Logic console, go to Manage Data > Collection.2. In the Collection window, click on the Add… link near to one of your Installed Collectors. Click on the Add Source option.
3. In the Select Source for Collector window, click on the Syslog option under the Platform Sources section.
4. Fill in the required data in the Syslog window. In the Advanced Options for Logs, set the Ignore timezone from log file and instead use option to UTC. Click on the Save button.
Field
extraction rules in Sumo Logic allow for the processing of Lumu logs
and the extraction of the most relevant fields. You can add a Field
Extraction Rule in your Sumo Logic deployment following these steps:
1. In your Sumo Logic console, go to the Manage Data > Logs option.
2. In the Logs window, go to the Field Extraction Rules tab, and click on the + Add Rule button.
3. In the Add Field Extraction Rule window, fill in the required data. The Applied At parameter must be set to Ingest Time, and the Scope to Specific Data. Choose the _sourcecategory field to the value given to the Lumu source.
In the Parse expression section, copy and paste the following expression.parse regex " - \{\"(?<eventType>[^\"]+).*(?:\"id\"|\"incidentId\"): \"(?<incidentId>[^\"]+)\"" | parse "companyId\": \"*\"" as companyId | parse "adversaryId\": \"*\"" as adversaryId nodrop | parse "description\": \"*\"" as description nodrop | parse "endpointName\": \"*\"" as endpoint nodrop | parse "name\": \"*\"" as label nodrop | parse "url\": \"*\"" as url nodrop | parse "endpointIp\": \"*\"" as sourceIp nodropClick on the Save button.
Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.
1. Prepare the container (replace VALUE with proper values):docker create \
-e CUSTOM_OUTPUT="syslog_proto" \
-e INCLUDE_MUTED_UPDATES=VALUE \
-e COMPANY_KEY=VALUE \
-e APP_VERBOSE=VALUE \
-e OUTPUT_SERVERS=VALUE \
-e SYSLOG_RFC=VALUE \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=3100m \
--log-opt max-file=31 \
lumutools/universal-siem:latest2. Run it:docker start lumu-universal-siem
To check your Lumu events in your Sumo Logic deployment, go into your Sumo Logic console, click on the + New button in the tab bar, and click on the Log Search option.
Run a search to query events from the Source Category defined at the time the Lumu source was created. Your Sumo Logic deployment can process the following fields from Lumu events.