Using Fortanix DSM with Sumo Logic (SIEM) Integration Guide for Linux Server

Prev Next

1.0 Introduction 

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Sumo Logic (SIEM) on a Linux Server. 

2.0 Terminology

  • DSM – Data Security Manager 

    Data Security Manager is a cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data. 

  • Sumo Logic 

    Sumo Logic is a security information and event management (SIEM) solution that provides security analysts with enhanced visibility across the enterprise to thoroughly understand the impact and context of an attack. Sumo Logic offers streamlined workflows that automatically triage alerts to maximize security analyst efficiency and focus. 

3.0 Download and Install Sumo Logic Collector in Linux 

3.1 System Requirements

 System requirements for Linux: 

  • Linux, major distributions 64-bit, or any generic Unix capable of running Java 1.8

  • Single core, 512MB RAM

  • 8GB disk space

  • Package installers require TLS 1.2 or higher

3.2 Download the Collector 

Download the collector in one of the following ways:

  • Through the user interface (UI):

    • In Sumo Logic, select Manage Data → Collection → Collection.

    • Click Add Collector → Installed Collector.

    • Click the link for the collector to begin the download. 

  • Through a Web Browser:

Fortanix recommends using the collector manually by downloading the .sh installation file corresponding to your endpoint. For example, for downloading the collector for Linux 64-bit, use the link:
https://collectors.in.sumologic.com/rest/download/linux/64

Run the following command:


ubuntu@sumologictest:~$ sudo wget https://collectors.in.sumologic.com/rest/download/linux/64
--2022-05-11 05:22:09-- https://collectors.in.sumologic.com/rest/download/linux/64
Resolving collectors.in.sumologic.com (collectors.in.sumologic.com)... 13.126.102.227, 65.2.26.137, 65.1.116.61, ...
Connecting to collectors.in.sumologic.com (collectors.in.sumologic.com)|13.126.102.227|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84905788 (81M) [application/octet-stream]
Saving to: '64.1'

64.1                               100%[=======================================================================>]  80.97M  93.5MB/s    in 0.9s

2022-05-11 05:22:11 (93.5 MB/s) - '64.1' saved [84905788/84905788]
Downloading_the_Connector_on_Linux_64_bit_Server.png

Figure 1: Downloading the connector on Linux 64 bit server

3.3 Generate Access Keys

To generate access keys: 

  1. On the UI, click Profile → Preferences → Add Access Key.

    Add_Access_Key.png

    Figure 2: Add access key

  2. Enter a name for the key and click Create Key

    Create_Access_Key.png

    Figure 3: Create access key

For more details, refer to the Access Keys.

3.4 Install the Collector 

You can choose one of the following methods to install the Collector:

The easiest and fastest way to install the connector is by using the command displayed below and replacing the values of accesskey and accessid.

ubuntu@sumologictest:~$ sudo ./SumoCollector.sh -q -Vsumo.accessid=suVzuyDcEwXy6u -Vsumo.accesskey=Kjpta1Obvs5SZMSYoyxYrAKNBTTtrgtPdSTLNXRyRZYS4zyzGcwZaBOauyQfmbih 
Unpacking JRE ...
Starting Installer ...
2022-05-11 05:25:14,118 main WARN The bufferSize is set to 8192 but bufferedIo is false: false
Uninstalling previous version
Extracting files...
Finishing installation...

To learn more about installing a collector on Linux, refer to the Install a Collector on Linux. 

Once the collector is installed, it appears under Manage → Collection.

Collector_Appears_in_Sumo_Logic.png

Figure 4: Collector appears in sumo logic

3.5 Configure Syslog Server

3.5.1 Configure Syslog Server in Sumo Logic 

  1. Click Manage Data → Collection

  2. Click Edit next to Syslog Server

  3. Select Protocol as TCP, Port as 514, leave the rest of the settings as default, and then click Save

    Configure_the_Connector_in_Sumo_Logic.png

    Figure 5: Configure the connector in sumo logic

3.5.2 Configure Syslog Server in Fortanix DSM 

Perform the following steps to configure logging events to the Syslog:

  1. In the Custom Log Management Integrations section, click ADD INTEGRATION for Syslog.

  2. On the Syslog Log Management Integration form, enter the following:

    • Host: Enter the hostname or IP address of your Syslog server.

      • Enable TLS: Select this check box to communicate with the Syslog server over a secure connection using TLS.

      • Host validation: Select the Validate host check box to ensure that the Syslog server hostname mentioned above matches the hostname specified in the server certificate. To skip hostname verification, clear the Validate host check box.

      • Validate certificate: You can connect to the Syslog server over a non-secure connection or a secure TLS connection. Depending on the type of TLS certificate that the Syslog server is using:

        • If you are using a certificate signed by a well-known public CA, select Global Root CAs.

        • If your organization uses a self-signed certificate issued by an internal Certificate Authority (CA), select Custom CA Certificate. Click UPLOAD A FILE to upload your CA certificate. When Fortanix DSM, acting as a client, connects to the Syslog server and receives the server’s certificate, it validates the certificate using the uploaded custom CA certificate.

    • Port (TCP): The default port for the Syslog server is 514. If you are using a different port, update the port number accordingly.

    • Facility: When you log an event in Syslog, you can choose to log it in different facilities. Use this setting to filter logs by a specific facility, such as User, Local0, Local1, and others that are well-defined in the Syslog protocol. For example, configure Fortanix DSM to use the Local0 facility to easily filter logs from a specific appliance.

  3. Click SAVE to add the Syslog integration.

Figure 6: Configure syslog server

3.6 View Audit Logs in Sumo Logic

Once all the above steps are completed, you can see all the audit logs in the Sumo Logic Screen. 

View_Audit_Logs_in_Sumo_Logic.png

Figure 7: View audit logs in sumo logic

You can further customize the data and chart by writing a query in the search bar. For example: 

_sourceCategory="Fortanix" and _collector="sumologictest" |
logreduce
| timeslice 1h
| count by _timeslice
| order by _timeslice