})
Integrations
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
index 0a4acc91d5..46f3c90fd7 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
@@ -22,4 +22,5 @@ To ingest Corelight Zeek data into Cloud SIEM:
1. To verify that your logs are successfully making it into Cloud SIEM:
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top Cloud SIEM menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
1. On the **Log Mappings** tab search for "Zeek" and check the **Records** columns.
})
- 1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records:
`_index=sec_record* and metadata_product = "Zeek"`
\ No newline at end of file
+ 1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records:
`_index=sec_record* and metadata_product = "Zeek"`
+
diff --git a/docs/cse/rules/import-yara-rules.md b/docs/cse/rules/import-yara-rules.md
index 3715fe1762..b53ae71016 100644
--- a/docs/cse/rules/import-yara-rules.md
+++ b/docs/cse/rules/import-yara-rules.md
@@ -13,7 +13,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
This section has instructions for importing YARA rules from GitHub into Cloud SIEM.
-YARA rules are an open source framework for identifying malware. Cloud SIEM runs YARA rules against files uploaded by the [network sensor](/docs/cse/sensors/network-sensor-deployment-guide). When a file matches a YARA rule, Cloud SIEM creates a special record which results in a “file analysis” signal being created. Once you’ve imported rules, Cloud SIEM will sync with the repository no less than every hour.
+YARA rules are an open source framework for identifying malware. Cloud SIEM runs YARA rules against files uploaded by the [network sensor](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek/). When a file matches a YARA rule, Cloud SIEM creates a special record which results in a “file analysis” signal being created. Once you’ve imported rules, Cloud SIEM will sync with the repository no less than every hour.
To import YARA rules:
diff --git a/docs/cse/sensors/index.md b/docs/cse/sensors/index.md
deleted file mode 100644
index 6ad1e09bd3..0000000000
--- a/docs/cse/sensors/index.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-slug: /cse/sensors
-title: Cloud SIEM Sensors
-description: Cloud SIEM Sensors collect log and event data from your infrastructure and applications.
----
-
-
-This guide has information about Cloud SIEM sensors, the components that collect log and event data from your infrastructure and applications.
-
-import useBaseUrl from '@docusaurus/useBaseUrl';
-
-In this section, we'll introduce the following concepts:
-
-
-
-
-
})
Ingest Zeek Logs
-
Learn how to collect Zeek (Bro) logs and ingest them to Cloud SIEM.
-
-
-
-
-
})
Sensor Download Locations
-
Learn about where to download the Cloud SIEM Network Sensor that's specific to your Cloud SIEM deployment.
-
-
-
-
-
-
diff --git a/docs/cse/sensors/ingest-zeek-logs.md b/docs/cse/sensors/ingest-zeek-logs.md
index 2fbb9e0b7e..f1563242f8 100644
--- a/docs/cse/sensors/ingest-zeek-logs.md
+++ b/docs/cse/sensors/ingest-zeek-logs.md
@@ -6,18 +6,18 @@ description: Learn how to collect Zeek (Bro) logs and ingest them to Cloud SIEM.
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic has instructions for ingesting Zeek logs into Cloud SIEM.
+This topic has instructions for ingesting Zeek logs into Cloud SIEM.
## What is Zeek?
-Cloud SIEM uses [Zeek](https://zeek.org/) (formerly known as Bro) for network visibility. Zeek is an open source network analysis framework that organizes packets into flows, decodes common protocols, performs file extraction, SSL certificate validation, OS fingerprinting and more. Zeek can be extended through plugins for additional detection capabilities.
+Cloud SIEM uses [Zeek](https://zeek.org/) (formerly known as Bro) for network visibility. Zeek is an open source network analysis framework that organizes packets into flows, decodes common protocols, performs file extraction, SSL certificate validation, OS fingerprinting and more. Zeek can be extended through plugins for additional detection capabilities.
## Supported collection method: Sumo Logic Source
If you already have a Zeek deployment, you can collect logs using a Sumo Logic Collector and Source.
:::note
-This method requires that your Zeek logs are in JSON format.
+This method requires that your Zeek logs are in JSON format.
:::
### Configure a Sumo Logic Source
@@ -30,7 +30,7 @@ After configuring the appropriate source, use one of the methods described in [E
### Enable parsing and mapping of Zeek logs
-This configuration step is required to ensure that Cloud SIEM knows how to parse incoming Zeek logs, correctly map the log fields to schema attributes, and create Cloud SIEM records. The most important bit of information is what type of data a particular log contains. Zeek has a variety of log types, for example `conn` for TCP/UDP/ICMP connections, `http` for HTTP requests and replies, and `ftp` for FTP activity.
+This configuration step is required to ensure that Cloud SIEM knows how to parse incoming Zeek logs, correctly map the log fields to schema attributes, and create Cloud SIEM records. The most important bit of information is what type of data a particular log contains. Zeek has a variety of log types, for example `conn` for TCP/UDP/ICMP connections, `http` for HTTP requests and replies, and `ftp` for FTP activity.
So, how to determine whether a Zeek log is a `conn`, `http`, `ftp`, or some other log type? Zeek logs don’t contain a key that explicitly holds a value that is only the log type identifier. There are two options for dealing with this:
@@ -54,15 +54,15 @@ After installing the `json-streaming-logs` package, follow these instructions to
### Use FERs
-With this method, you use Sumo Logic Field Extraction Rules (FERs) to extract fields from each Zeek log. The fields you extract will provide the information necessary for Cloud SIEM to correctly parse and map the logs.
+With this method, you use Sumo Logic Field Extraction Rules (FERs) to extract fields from each Zeek log. The fields you extract will provide the information necessary for Cloud SIEM to correctly parse and map the logs.
-Here’s an example Bro log from the Security Onion platform.
+Here’s an example Bro log from the Security Onion platform.
```
{"TAGS":".source.s_bro_conn","SOURCEIP":"127.0.0.1","PROGRAM":"bro_conn","PRIORITY":"notice","MESSAGE":"{\"ts\":\"2020-05-28T10:32:51.997054Z\",\"uid\":\"Cu3KVA2TbWqZm1Z0S6\",\"id.orig_h\":\"1.2.3.4\",\"id.orig_p\":16030,\"id.resp_h\":\"5.6.7.8\",\"id.resp_p\":161,\"proto\":\"udp\",\"duration\":30.000317811965942,\"orig_bytes\":258,\"resp_bytes\":0,\"conn_state\":\"S0\",\"local_orig\":true,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":6,\"orig_ip_bytes\":426,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"sensorname\":\"test\"}","ISODATE":"2020-05-28T10:34:24+00:00","HOST_FROM":"somehost","HOST":"somehost","FILE_NAME":"/nsm/bro/logs/current/conn.log","FACILITY":"user"}
```
-In the log above, the content of the Bro log is the value of the `MESSAGE` key. Note that no key in the log explicitly states the log type, which is `conn`.
+In the log above, the content of the Bro log is the value of the `MESSAGE` key. Note that no key in the log explicitly states the log type, which is `conn`.
To enable Cloud SIEM to successfully process the log, we need to create the following fields listed in the table below.
@@ -99,7 +99,7 @@ Perform these steps for each of the FERs.
1. Click **Add Rule**.
1. In the **Add Field Extraction Rule** pane:
1. **Rule Name**. Enter a meaningful name for the rule.
- 1. **Applied At**. Click Ingest Time.
+ 1. **Applied At**. Click Ingest Time.
1. **Scope**. Click **Specific Data**.
1. **Parse Expression**. Enter the parse expression shown in the table above for the field the rule will extract.
1. Click **Save**.
})
@@ -143,4 +143,4 @@ This section describes two methods you can use to filter the logs that the Netwo
You can add additional Zeek log types to the list to exclude them.
-The BPF filter is applied before `skipped_log_types`. So, given the example BPF filter above, if you add `dns` to the `skipped_log_types` value, you won't ingest logs related to traffic involving hosts `a.b.c.com` or `d.e.f.com`, and you won't ingest DNS data.
\ No newline at end of file
+The BPF filter is applied before `skipped_log_types`. So, given the example BPF filter above, if you add `dns` to the `skipped_log_types` value, you won't ingest logs related to traffic involving hosts `a.b.c.com` or `d.e.f.com`, and you won't ingest DNS data.
diff --git a/docs/cse/sensors/log-sensor-troubleshooting.md b/docs/cse/sensors/log-sensor-troubleshooting.md
index ef7e9c43a3..3a1277bf0b 100644
--- a/docs/cse/sensors/log-sensor-troubleshooting.md
+++ b/docs/cse/sensors/log-sensor-troubleshooting.md
@@ -5,7 +5,7 @@ description: Learn how to collect Log Sensor status and data to support troubles
---
:::warning end-of-life
-The Cloud SIEM Log Sensor has reached end of life and is no longer supported. Please migrate to a Sumo Logic Hosted Collector or Installed Collector. For more information, see the [end of life notice](https://app.getbeamer.com/cloudsiementerprise/en/end-of-life-notice-_-cloud-siem-enterprise-sensors).
+The Cloud SIEM Log Sensor has reached end of life and is no longer supported. Please migrate to a Sumo Logic Hosted Collector or Installed Collector. For more information, see the [end of life notice](https://app.getbeamer.com/cloudsiementerprise/en/end-of-life-notice-_-cloud-siem-enterprise-sensors).
:::
The Cloud SIEM Log Sensor collects log data and sends it to the legacy Cloud SIEM server. (The Log Sensor does not send log data to the Sumo Logic platform. Sumo Logic collectors serve that purpose.)
@@ -23,44 +23,44 @@ The following command restarts the sensor. You need to restart the sensor after
This command returns the status of the Log Sensor.
`$ systemctl status trident_log_sensor`
-
+
-## Show sensor listen ports
+## Show sensor listen ports
The following command lists the sensor's listen ports, and state information for each.
-`$ ss -an | grep LIST | grep :::85.. `
+`$ ss -an | grep LIST | grep :::85.. `
## View sensor configuration file
-This command lists the sensor’s configuration file.
+This command lists the sensor’s configuration file.
`$ cat /opt/trident/log-sensor/conf/trident-sensor.cfg`
-
+
## Edit sensor configuration file
This command opens the sensor’s configuration file in the vi editor.
-`$ vi /opt/trident/log-sensor/conf/trident-sensor.cfg `
+`$ vi /opt/trident/log-sensor/conf/trident-sensor.cfg `
## View sensor log file
This command tails the sensor’s log file, assuming that it is located in its default location.
`$ tail -f /opt/trident/log-sensor/logs/trident-sensor.log`
-
+
-## View logs sent by the sensor to Cloud SIEM
+## View logs sent by the sensor to Cloud SIEM
This command tails the sensor’s `output.log` file which contains logs that the sensor has sent to the Cloud SIEM server.
`$ tail -f /opt/trident/log-sensor/output/log/output.log`
-## View count of logs sent by the sensor to Cloud SIEM
+## View count of logs sent by the sensor to Cloud SIEM
This command returns a count of the logs sent by the sensor to the Cloud SIEM server.
`$ ls -lh /opt/trident/log-sensor/output/log/`
-
+
\ No newline at end of file
diff --git a/docs/cse/sensors/network-sensor-deployment-guide.md b/docs/cse/sensors/network-sensor-deployment-guide.md
index 4807f95e3c..75b7660984 100644
--- a/docs/cse/sensors/network-sensor-deployment-guide.md
+++ b/docs/cse/sensors/network-sensor-deployment-guide.md
@@ -12,7 +12,7 @@ import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
:::
-This section has instructions for deploying the Cloud SIEM Network Sensor. It covers deployment planning, standard sensor placement, sensor requirements, installation, general configuration, and helpful commands.
+This section has instructions for deploying the Cloud SIEM Network Sensor. It covers deployment planning, standard sensor placement, sensor requirements, installation, general configuration, and helpful commands.
## Network Sensor overview
@@ -32,7 +32,7 @@ The sensor uses [PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/)
1. Use the scaling guide to determine the CPU and memory requirements for the VM or hardware. Confirm that their firewall rules are in place.
1. Confirm that there is traffic flowing on the interface.
1. Install the sensor.
-1. Confirm the configuration and that data is flowing into the cluster.
+1. Confirm the configuration and that data is flowing into the cluster.
## Network Sensor positioning best practices
@@ -80,7 +80,7 @@ The Network Sensor logs every connection attempt observed, even those consisting
#### NAT Devices
-Aside from the devices and configurations described above, similar challenges are presented any time a Network Sensor inspects traffic after application of Network Address Translation. (NAT). NAT may refer to port address translation (PAT), source or destination NATs. In any case that a NAT policy rewrites the source IP address of a connection, it can impact the ability for Cloud SIEM to analyze and identify affected assets and makes it difficult for operations teams to respond effectively. Sumo Logic recommends that Network Sensors have visibility in front of NAT.
+Aside from the devices and configurations described above, similar challenges are presented any time a Network Sensor inspects traffic after application of Network Address Translation. (NAT). NAT may refer to port address translation (PAT), source or destination NATs. In any case that a NAT policy rewrites the source IP address of a connection, it can impact the ability for Cloud SIEM to analyze and identify affected assets and makes it difficult for operations teams to respond effectively. Sumo Logic recommends that Network Sensors have visibility in front of NAT.
## Installation requirements
@@ -91,9 +91,9 @@ This section describes resource requirements and prerequisites for Network Senso
We recommend installing the Network Sensor on a host with at least two interfaces - one for traffic monitoring and one for management. That way, the sensor doesn't process and upload traffic associated with sensor management for analysis.
The system upon which you install the Network Sensor must have the following resources, at a minimum. Depending on expected throughput, additional core, memory, and storage resources may be required, as shown in [Throughput-dependent resource requirements](#throughput-dependent-resource-requirements)
-below.
+below.
-| Operating System | Cores (CPU) | Memory (RAM) | Storage (Disk) |
+| Operating System | Cores (CPU) | Memory (RAM) | Storage (Disk) |
|:------------------------------------|:-------------|:--------------|:----------------|
| CentOS 7 or Ubuntu 16, 18, 20 | 4 | 4GB | 250GB |
@@ -129,7 +129,7 @@ reboot
### Outbound firewall rules
-See [Securing access to Sumo Logic infrastructure via DNS name or IP address](/docs/api/about-apis/getting-started#securing-access-to-sumo-logic-infrastructure-via-dns-name-or-ip-address) for information on how to configure your firewall for outbound access to Sumo Logic.
+See [API](/docs/api/) for information on how to configure your firewall for outbound access to Sumo Logic.
### Interface considerations
@@ -148,7 +148,7 @@ A number of NIC offload features should be disabled on capture devices (interfac
#### NIC Hardware Buffer Queue Length
-The default size of the ring buffer on many NICs is conservative and in high traffic, scenarios may cause some frames to be dropped before they can be processed.
+The default size of the ring buffer on many NICs is conservative and in high traffic, scenarios may cause some frames to be dropped before they can be processed.
Verify the ring parameters for the capture interface(s). The following example shows a maximum RX value of 4096, but an effective setting of
256.
@@ -174,7 +174,7 @@ An example interface configuration which increases the RX ring buffer size is pr
#### Recommended interface configuration
-The following stanza can be set as an *interface (5)* configuration in Debian or Ubuntu Linux sensors. Most often the file path is `/etc/network/interfaces` (some installations may use a file in `/etc/network/interfaces.d/`). These settings configure the network interface for optimized traffic capture as described above. Similar concepts apply to Red Hat-based distributions using interface setup configurations provided by the distribution.
+The following stanza can be set as an *interface (5)* configuration in Debian or Ubuntu Linux sensors. Most often the file path is `/etc/network/interfaces` (some installations may use a file in `/etc/network/interfaces.d/`). These settings configure the network interface for optimized traffic capture as described above. Similar concepts apply to Red Hat-based distributions using interface setup configurations provided by the distribution.
**/etc/network/interfaces (Debian/Ubuntu)**
@@ -192,7 +192,7 @@ iface eno1 inet manual
post-down /sbin/ethtool -A $IFACE rx on autoneg on
```
-The section below describes the settings configured above.
+The section below describes the settings configured above.
#### Interface settings
@@ -224,25 +224,25 @@ Link settings
## Install the Network Sensor
-Download the installer using the download link for your deployment shown on [Sensor Download Locations](/docs/cse/sensors/sensor-download-locations/). Start the installer using the command provided on that page, and then respond to the prompts as described below.
+Download the installer using the download link for your deployment shown on [Sensor Download Locations](/docs/cse/sensors/sensor-download-locations/). Start the installer using the command provided on that page, and then respond to the prompts as described below.
## Uninstall the Network Sensor
-1. Before uninstalling the Network Sensor, make sure that the service is stopped: `sudo service trident_sensor stop`
+1. Before uninstalling the Network Sensor, make sure that the service is stopped: `sudo service trident_sensor stop`
1. To remove the package:
* On Ubuntu, using `dpkg`: `sudo dpkg -r trident-sensor`
- * On Ubuntu, using `apt` (removes dependencies): `sudo apt remove trident-sensor`
+ * On Ubuntu, using `apt` (removes dependencies): `sudo apt remove trident-sensor`
* On Centos: `sudo yum remove trident-sensor`
1. Remove remaining configuration and log files: `sudo rm -rf /opt/trident/sensor`
## Network Sensor configuration settings
-This section describes the configuration options in the Network Sensor configuration file, ` /opt/trident/sensor/conf/trident-sensor.cfg`.
+This section describes the configuration options in the Network Sensor configuration file, ` /opt/trident/sensor/conf/trident-sensor.cfg`.
-We strongly recommend that you do not edit trident-sensor.cfg manually. Instead, you should run `/opt/trident/sensor/bin/configure.sh`, which is
-the wizard that runs when you install a Network Sensor. For some configuration options, the wizard updates both `/opt/trident/sensor/conf/trident-sensor.cfg` and `node.cfg`.
+We strongly recommend that you do not edit trident-sensor.cfg manually. Instead, you should run `/opt/trident/sensor/bin/configure.sh`, which is
+the wizard that runs when you install a Network Sensor. For some configuration options, the wizard updates both `/opt/trident/sensor/conf/trident-sensor.cfg` and `node.cfg`.
If you do make manual updates to `trident-sensor.cfg`, you must restart the Network Sensor for the changes to take effect with this command:
@@ -250,7 +250,7 @@ If you do make manual updates to `trident-sensor.cfg`, you must restart the Netw
### compression
-**Description.** This option controls whether the sensor compresses the Bro output files stored in ` /opt/trident/sensor/output/`. By default, the sensor does compress the Bro files using gzip when the size of the Bro file exceeds the value of the `compression_threshold` option, described below. To turn compression off, set this option to “no”, or any value other than “gzip”. Compression occurs when the parameter is missing or set to gzip and the Bro output file is above the value set in `compression_threshold`.
+**Description.** This option controls whether the sensor compresses the Bro output files stored in ` /opt/trident/sensor/output/`. By default, the sensor does compress the Bro files using gzip when the size of the Bro file exceeds the value of the `compression_threshold` option, described below. To turn compression off, set this option to “no”, or any value other than “gzip”. Compression occurs when the parameter is missing or set to gzip and the Bro output file is above the value set in `compression_threshold`.
**Default Value.** gzip
@@ -266,7 +266,7 @@ If you do make manual updates to `trident-sensor.cfg`, you must restart the Netw
### debug
-**Description.** The sensor writes messages about the upload process, that is, the process of uploading captured data to Sumo Logic. By default, this log file is `/opt/trident/sensor/logs/trident-shipper.log`. You can use the debug option to tell the sensor to write debug-level to the log file.
+**Description.** The sensor writes messages about the upload process, that is, the process of uploading captured data to Sumo Logic. By default, this log file is `/opt/trident/sensor/logs/trident-shipper.log`. You can use the debug option to tell the sensor to write debug-level to the log file.
**Default Value**. false
@@ -283,7 +283,7 @@ Description. The directory to which the sensor writes files extracted from netwo
### extracted_file_types
**Description.** In the case that the sensor detects files in network traffic, this option controls what files the sensor will extract. Files that have the MIME types specified in this parameter will be extracted.
-
+
**Default Value.**
`application/x-dosexec,application/x-msdownload,application/zip,application/x-msdos-program`
@@ -300,13 +300,13 @@ Description. The directory to which the sensor writes files extracted from netwo
### filter
-**Description.** This option tells Bro not to capture network traffic between the sensor and the Sumo Logic. The sensor sends status reports and Bro output files to end points on the destination, which we don’t want Bro to capture.
+**Description.** This option tells Bro not to capture network traffic between the sensor and the Sumo Logic. The sensor sends status reports and Bro output files to end points on the destination, which we don’t want Bro to capture.
-This option is populated when first you install the sensor, or when you reconfigure it by running `/opt/trident/sensor/bin/configure.sh. `
+This option is populated when first you install the sensor, or when you reconfigure it by running `/opt/trident/sensor/bin/configure.sh. `
**Default Value.** none
-**Configured by wizard?** No. The wizard does not prompt for this value, instead it determines the value based on the Sumo Logic HTTP Source URL you supply to the wizard.
+**Configured by wizard?** No. The wizard does not prompt for this value, instead it determines the value based on the Sumo Logic HTTP Source URL you supply to the wizard.
### input_directory
@@ -318,7 +318,7 @@ Configured by wizard? No
### installation_directory
-**Description**. Directory where the sensor is installed; this is used for auto updating.
+**Description**. Directory where the sensor is installed; this is used for auto updating.
**Default Value.** `/opt/trident/sensor`
@@ -330,7 +330,7 @@ Configured by wizard? No
**Default Value**.` /opt/trident/sensor/logs/trident-shipper.log`
-**Configured by wizard?** The wizard does not prompt for this value, instead it determines the value based on the Sumo Logic HTTP Source URL you supply to the wizard.
+**Configured by wizard?** The wizard does not prompt for this value, instead it determines the value based on the Sumo Logic HTTP Source URL you supply to the wizard.
### maximum_extracted_file_size
@@ -350,15 +350,15 @@ Configured by wizard? No
### no_data_restart_threshold
-**Description.** Number of consecutive status reports with no data that should trigger a restart of the Network Sensor. This may be enabled to handle Zeek out-of-memory issues that causes capturing to stop occasionally. Recommended number to start with is 3 (a single status report with no data is normal).
+**Description.** Number of consecutive status reports with no data that should trigger a restart of the Network Sensor. This may be enabled to handle Zeek out-of-memory issues that causes capturing to stop occasionally. Recommended number to start with is 3 (a single status report with no data is normal).
-**Default value.** -1 (disabled)
+**Default value.** -1 (disabled)
-**Configured by wizard?** No
+**Configured by wizard?** No
### proxy_https
-**Description**. Whether or not the configured proxy is using SSL.
+**Description**. Whether or not the configured proxy is using SSL.
**Default Value**. true
@@ -382,7 +382,7 @@ Configured by wizard? No
### proxy_password
-**Description.** Password to use when authenticating to the proxy; required if `proxy_auth_required` is set to true; note: do not edit the config file directly to change this, change it by re-running the configuration wizard.
+**Description.** Password to use when authenticating to the proxy; required if `proxy_auth_required` is set to true; note: do not edit the config file directly to change this, change it by re-running the configuration wizard.
**Default Value**. None
@@ -400,7 +400,7 @@ Configured by wizard? No
**Description.** Username to use when authenticating to the proxy; required if `proxy_auth_required` is set to “true”.
-**Default Value.** No.
+**Default Value.** No.
**Configured by wizard?** Yes
@@ -430,7 +430,7 @@ Configured by wizard? No
### set_source_category
-**Description.** When this option is set to "true", the value of the `_sourceCategory` metadata field assigned to the data collected by the sensor is `cse/network/
`. If you set the option to "false", the `_sourceCategory` value will be the same as the `_sourceCategory` assigned the Sumo Logic collector.
+**Description.** When this option is set to "true", the value of the `_sourceCategory` metadata field assigned to the data collected by the sensor is `cse/network/`. If you set the option to "false", the `_sourceCategory` value will be the same as the `_sourceCategory` assigned the Sumo Logic collector.
**Default Value**. true
@@ -438,7 +438,7 @@ Configured by wizard? No
### shipper_threads
-**Description.** The number of threads the process that sends the collected data to Sumo Logic will use to send files concurrently; setting this higher than 8 will have no impact.
+**Description.** The number of threads the process that sends the collected data to Sumo Logic will use to send files concurrently; setting this higher than 8 will have no impact.
**Default Value.** Varies from 3 to 8; set dynamically based on the number of available CPUs.
@@ -446,9 +446,9 @@ Configured by wizard? No
### skipped_log_types
-**Description.** This option controls which log files are discarded and not uploaded by the sensor. (For a list of log files generated by Zeek, see [Log Files](https://docs.zeek.org/en/master/script-reference/log-files.html)).
+**Description.** This option controls which log files are discarded and not uploaded by the sensor. (For a list of log files generated by Zeek, see [Log Files](https://docs.zeek.org/en/master/script-reference/log-files.html)).
-**Example**. To filter discard `ntp.log`, add the following parameter to `trident-sensor.cfg`:
+**Example**. To filter discard `ntp.log`, add the following parameter to `trident-sensor.cfg`:
`skipped_log_types = dpd,weird,syslog,pe,tunnel,communication,conn-summary,known_hosts,software,stdout.stderr,loaded_scripts,ntp`
@@ -482,9 +482,9 @@ Configured by wizard? No
## Sample configuration files
-This section contains examples of the `trident-sensor.cfg` and `node.cfg` files.
+This section contains examples of the `trident-sensor.cfg` and `node.cfg` files.
-### Sensor configured to use a single worker
+### Sensor configured to use a single worker
This sample` /opt/trident/sensor/conf/trident-sensor.cfg` file specifies the use of a single worker.
@@ -514,7 +514,7 @@ workers = 1
### Sensor configured to use four workers
This sample `/opt/trident/sensor/conf/trident-sensor.cfg` file specifies
-the use of four workers.
+the use of four workers.
```
log_file = /opt/trident/sensor/logs/trident-shipper.log
@@ -538,7 +538,7 @@ cluster_config_file = /opt/trident/sensor/bro/etc/node.cfg
### Sample node.cfg file (cluster configuration file)
-The `/opt/trident/sensor/bro/etc/node.cfg` file is automatically generated, based on the choices you make when running the configuration wizard at installation time.
+The `/opt/trident/sensor/bro/etc/node.cfg` file is automatically generated, based on the choices you make when running the configuration wizard at installation time.
Typically you should not edit `node.cfg` without consulting Cloud SIEM support. Under some circumstances, edits may be necessary, for example, if you want to monitor more than one capture interface.
@@ -627,20 +627,20 @@ $ sudo tcpdump -c 20 -i <> Or $ sudo tcpdump -c 20 -i <> up`
-
-To make the UP state persist through a reboot or service restart, edit the `/etc/network/interfaces` file with your choice of editor. Remember to use sudo. Add the following line to this file:
-
+
+To make the UP state persist through a reboot or service restart, edit the `/etc/network/interfaces` file with your choice of editor. Remember to use sudo. Add the following line to this file:
+
`auto\<>`
-
+
After you save this file, clear any existing IPs from the interface by running:
-
+
`$ sudo ip addr flush\<>`
### Troubleshoot Bro/Zeek
@@ -651,7 +651,7 @@ Diagnose issues with Bro/Zeek using the following command:
The output of this command shows any fatal errors observed when one or more workers crashed.
-There’s also a `crash-diagscript` you can run for the node that had an issue (The output below is from intentionally crashing Bro worker-0-1 node with an invalid pcap filter):
+There’s also a `crash-diagscript` you can run for the node that had an issue (The output below is from intentionally crashing Bro worker-0-1 node with an invalid pcap filter):
```
[root@localhost ~]# /opt/trident/sensor/bro/share/broctl/scripts/crash-diag /opt/trident/sensor/output/worker-0-1/
@@ -698,4 +698,4 @@ TERMINATED [atexit]
==== No loaded_scripts.log
[root@localhost ~]#
-```
+```
\ No newline at end of file
diff --git a/docs/cse/sensors/network-sensor-end-of-life.md b/docs/cse/sensors/network-sensor-end-of-life.md
index a98267dde5..910fea1e39 100644
--- a/docs/cse/sensors/network-sensor-end-of-life.md
+++ b/docs/cse/sensors/network-sensor-end-of-life.md
@@ -16,7 +16,7 @@ At Sumo Logic, we pride ourselves on being a leading SaaS log analytics company
We’re always looking at ways to innovate, drive more value, and provide a seamless experience for our customers. In this vein we are discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. This end-of-life notification for Sumo Logic's network sensor means the feature will no longer receive support or updates based on the timelines listed below. We believe this to be the best course of action to keep our development focus on delivering world class detection and response capabilities.
-We fully recognize that this decision may have implications for your business operations, and we are committed to planning with you and your security team to minimize disruptions. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/sensors/ingest-zeek-logs/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
+We fully recognize that this decision may have implications for your business operations, and we are committed to planning with you and your security team to minimize disruptions. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
We're confident that our highly scalable, cloud-native security solutions can continue to support your security operations. Let's discuss how we can help you achieve your security goals.
@@ -26,5 +26,5 @@ If you have any questions, please don't hesitate to reach out to your Sumo Logic
| :-- | :-- | :-- |
| End-of-life announcement | The date this feature is announced as end-of-life. | November 8, 2024 |
| End of software release | The last date that Sumo Logic may release any final software maintenance releases or bug fixes. After this date, Sumo Logic will no longer develop, repair, maintain, or test product software. | November 8, 2024 |
-| Last date of support | The last date to receive applicable support for the feature as entitled by active support contracts or by applicable warrant terms and conditIons. After this date, all support services for this feature are unavailable and the feature becomes obsolete. | TBD |
+| Last date of support | The last date to receive applicable support for the feature as entitled by active support contracts or by applicable warrant terms and conditions. After this date, all support services for this feature are unavailable and the feature becomes obsolete. | November 8, 2025 |
diff --git a/docs/cse/sensors/network-sensor-troubleshooting.md b/docs/cse/sensors/network-sensor-troubleshooting.md
index 0ab46b9f12..54bb1c180a 100644
--- a/docs/cse/sensors/network-sensor-troubleshooting.md
+++ b/docs/cse/sensors/network-sensor-troubleshooting.md
@@ -19,7 +19,7 @@ The Cloud SIEM Network Sensor is a flexible network security monitor that monito
Various conditions may cause a network interface to drop frames. Interface counters should be monitored to identify faults.
-Errors may be monitored using `ip-link(8)`: `ip -s link show`
+Errors may be monitored using `ip-link(8)`: `ip -s link show`
Confirm that the RX line shows incrementing bytes/packets but that the `errors`, `dropped` and `overrun` fields do not increment. It is useful to run the command several times with some delay in between.
@@ -67,7 +67,7 @@ Zeek can get into a state where it runs out of memory and stops processing traff
Security monitoring can be complex. Network data capture is a system with many layers, and degradation or faults at one layer can affect the whole. Performance starts at the initial traffic acquisition source (i.e. TAPs, SPANs/port mirrors) and ends with the monitoring software itself (Bro/Zeek). Along the way a number of hardware and software components are involved, such as cabling, capture network interface cards, CPU, memory, drivers, OS kernel, memory buffers, and numerous settings. Some work fine as defaults and others must be tuned correctly. All components must be monitored and validated for proper operation. This document provides an overview of how to properly configure and monitor some of the important components in a Network Sensor deployment.
-Sumo Logic recommends that Network Sensor admins monitor and collect performance statistics from deployed sensors. Doing so can help with tracking and spotting faults when they occur and help plan for adequate system resources.
+Sumo Logic recommends that Network Sensor admins monitor and collect performance statistics from deployed sensors. Doing so can help with tracking and spotting faults when they occur and help plan for adequate system resources.
In the examples below, we use `eno1` as the example interface name. Substitute the proper interface name(s) on your sensor as needed.
@@ -94,7 +94,7 @@ To check interface link negotiation use `ethtool`:
The Speed and Duplex fields indicate the active link settings. For a gigabit ethernet link, those are expected to show `1000Mb/s` and `Full`.
MTU (maximum transmission units) is another setting that should match up between connected devices. If all devices use the standard Ethernet MTU size of 1500 bytes, issues are unlikely. If jumbo frames are in use on the network and an upstream device is using a large MTU (e.g. 9000, 9216, etc.), the capture interface MTU should also be adjusted to
-match.
+match.
To check the interface MTU:
@@ -106,7 +106,7 @@ Having verified performance of the data delivery path, the next focus area is Br
## CaptureLoss
-An important metric Zeek log that is collected from the Cloud SIEM Network Sensor is the notice `CaptureLoss::Too_Much_Loss`. Zeek internally tracks loss rates by observing when streams arrive with gaps indicating missing segments in the stream. Because this metric relates directly to traffic monitored by Zeek, it may either indicate packet loss in Zeek itself, or a loss condition happening elsewhere upstream from Zeek (anywhere along the line). This notice is logged on a periodic basis when a configured threshold is exceeded and is the topic of a key FAQ. https://www.zeek.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notice It is possible to analyze occurrences of CaptureLoss notices in Cloud SIEM using the following query in an Sumo Logic log search tab.
+An important metric Zeek log that is collected from the Cloud SIEM Network Sensor is the notice `CaptureLoss::Too_Much_Loss`. Zeek internally tracks loss rates by observing when streams arrive with gaps indicating missing segments in the stream. Because this metric relates directly to traffic monitored by Zeek, it may either indicate packet loss in Zeek itself, or a loss condition happening elsewhere upstream from Zeek (anywhere along the line). This notice is logged on a periodic basis when a configured threshold is exceeded and is the topic of a key FAQ. https://www.zeek.org/documentation/faq.html#how-can-i-reduce-the-amount-of-captureloss-or-dropped-packets-notice It is possible to analyze occurrences of CaptureLoss notices in Cloud SIEM using the following query in an Sumo Logic log search tab.
`_sourceCategory = "cse/network/notice" | where note = "CaptureLoss::Too_Much_Loss"`
@@ -139,13 +139,13 @@ Report on the overall cluster status:
Report on the status of nodes in the cluster:
`/opt/trident/sensor/bro/bin/zeekctl nodes`
-
+
**Process Overview**
Report on Zeek cluster processes:
`/opt/trident/sensor/bro/bin/zeekctl ps.bro`
-
+
**Process Runtime State**
Show a real-time running task view of the cluster:
@@ -193,4 +193,4 @@ Several diagnostic outputs may be collected.
* https://cromwell-intl.com/open-source/performance-tuning/ethernet.html
* https://www.zeek.org/documentation/faq.html#capture-loss-without-dropped-packets
* http://www.draconyx.net/articles/configuring-a-network-monitoring-system-sensor-w-pf_ring-on-ubuntu-server-1-04-part-1-interface-configuration.html
-
+
\ No newline at end of file
diff --git a/docs/cse/sensors/sensor-download-locations.md b/docs/cse/sensors/sensor-download-locations.md
index fff3cdeae3..0de198713e 100644
--- a/docs/cse/sensors/sensor-download-locations.md
+++ b/docs/cse/sensors/sensor-download-locations.md
@@ -11,7 +11,7 @@ import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
:::
-The Cloud SIEM Network Sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment. Each Sumo Logic deployment has URLs used to download sensor software. If you are not sure which endpoint to use, see How can I determine which endpoint I should use?
+The Cloud SIEM Network Sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment. Each Sumo Logic deployment has URLs used to download sensor software. If you are not sure which endpoint to use, see How can I determine which endpoint I should use?
## Installing the Network Sensor
@@ -21,7 +21,7 @@ After downloading the Network Sensor appropriate for your system architecture, r
sudo wget -q -O - | sudo /bin/bash
```
-For information about the installer prompts, see [Network Sensor Deployment Guide](/docs/cse/sensors/network-sensor-deployment-guide).
+For information about the installer prompts, see [Network Sensor Deployment Guide](/docs/cse/sensors/network-sensor-deployment-guide).
## Sensor download URLs for the AU region
@@ -41,11 +41,11 @@ For information about the installer prompts, see [Network Sensor Deployment Gui
| Network Sensor CentOS7 | https://collectors.ca.sumologic.com/rest/sec/download/centos7 |
| Network Sensor CentOS8 | https://collectors.ca.sumologic.com/rest/sec/download/centos8 |
-## Sensor download URLs for the US2 region
+## Sensor download URLs for the US2 region
| Sensor | URL |
|:-------------------------|:-------------------------------------------------------------------|
| Network Sensor Ubuntu18 | https://collectors.us2.sumologic.com/rest/sec/download/ubuntu18 |
| Network Sensor Ubuntu20 | https://collectors.us2.sumologic.com/rest/sec/download/ubuntu20 |
| Network Sensor CentOS7 | https://collectors.us2.sumologic.com/rest/sec/download/centos7 |
-| Network Sensor CentOS8 | https://collectors.us2.sumologic.com/rest/sec/download/centos8 |
+| Network Sensor CentOS8 | https://collectors.us2.sumologic.com/rest/sec/download/centos8 |
\ No newline at end of file
diff --git a/sidebars.ts b/sidebars.ts
index d45bea35be..13eaa646bf 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -2952,20 +2952,6 @@ integrations: [
'cse/schema/username-and-hostname-normalization',
],
},
- {
- type: 'category',
- label: 'Sensors',
- collapsible: true,
- collapsed: true,
- link: {type: 'doc', id: 'cse/sensors/index'},
- items: [
- 'cse/sensors/ingest-zeek-logs',
- 'cse/sensors/sensor-download-locations',
- 'cse/sensors/network-sensor-deployment-guide',
- 'cse/sensors/network-sensor-troubleshooting',
- 'cse/sensors/log-sensor-troubleshooting',
- ],
- },
{
type: 'category',
label: 'Integrations',
}){kind=icon}
}){kind=icon}
}){kind=icon}