Configure Global Log Receiver

Figure: AWS Cloudwatch Global Log Receiver Configuration

• Enter the group name for the target CloudWatch logs stream in the Group Name field.

• Enter the stream name for the target CloudWatch logs stream in the Stream Name field.

• In the AWS Cloud Credentials box, select a cloud credentials object from the drop-down. Alternatively, you can also use the Create new Cloud Credential button to create new object. For instructions on creating cloud credentials, see Cloud Credentials.

Note: For an AWS cloud credential, only the optionAWS Programmatic Access Credentials is supported.

• Select a region from the AWS Region drop-down menu. Ensure that you select the same region in which the S3 storage is configured.

Figure: AWS S3 Global Log Receiver Configuration

• Enter your AWS S3 bucket name in the S3 Bucket Name field.

• Select AWS Cloud Credentials box, select a cloud credentials object from the drop-down. Alternatively, you can also use the Create new Cloud Credential button to create new object. For instructions on creating cloud credentials, see Cloud Credentials.

Note: For an AWS cloud credential, only the optionAWS Programmatic Access Credentials is supported.

• Select AWS Region box, select a region from the drop-down. Ensure that you select the same region in which the S3 storage is configured.

Figure: Azure Blob Global Log Receiver Configuration

• Click Configure to setup the Azure Blob storage connection string.

  

  Figure: Azure Blob Connection String

  • Select Blindfolded Secret from the Secret Type drop-down menu.

  • Use the Action drop-down menu to select:

    • Use Blindfold Blindfolded Secret: Enter your connection string into the Blindfolded Secret field.
    • Blindfold New Secret: Select Built-in from the Policy Type drop-down menu and enter your connection string into the Secret to Blindfold field, or select Custom for the policy type and then choose a custom policy and enter your connection string.

    * Where to get the Azure BLOB connection string:

    1. Go to All Services > Storage accounts > (name of account).
    2. Select Access Keys on the navigation menu for the storage account you have selected.
    3. In the Access Keys pane, choose one of the access keys and click Show for the Connection String. Click Copy to Clipboard on the left side of the shown field.
    

    Figure: Azure Blob Connection String Location

• In the Container Name field, enter the name of the Azure container into which the logs should be sent.

Figure: Azure Event Hubs Global Log Receiver Configuration

• Click Configure to setup the Azure Event Hubs storage connection string.

  

  Figure: Azure Blob Connection String

  • Select Blindfolded Secret from the Secret Type drop-down menu.
  • Use the Action drop-down menu to select:
    • Use Blindfold Blindfolded Secret: Enter your connection string into the Blindfolded Secret field.
    • Blindfold New Secret: Select Built-in from the Policy Type drop-down menu and enter your connection string into the Secret to Blindfold field, or select Custom for the policy type and then choose a custom policy and enter your connection string.

Note: Your connection string should look like EntityPath=<EventHubName>.

* Where to get the Azure Event Hubs connection string: Refer to the following Microsoft article: https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.

• In the Container Name field, enter the name of the Azure container into which the logs should be stored.

Figure: Datadog Global Log Receiver Configuration

• Enter the URL for DataDog into the Datadog into the Datadog Site field (datadoghq.com)

• Click Configure to setup the Datadog API Key.

  

  Figure: Azure Blob Connection String

  • Select Blindfolded Secret from the Secret Type drop-down menu.

  • Use the Action drop-down menu to select:

    • Use Blindfold Blindfolded Secret: Enter your Datadog API Key into the Blindfolded Secret field.
    • Blindfold New Secret: Select Built-in from the Policy Type drop-down menu and enter your Datadog API Key into the Secret to Blindfold field, or select Custom for the policy type and then choose a custom policy and enter your Datadog API Key.

    * Where to get the Datadog API Key:

    1. Go to https://app.datadoghq.com/organization-settings/api-keys
    2. Create API key or select existing one
    3. A dialog will pop-up. Click Copy from the dialog and paste this value into the the global log receiver configuration for API Key
    

    Figure: Datadog API Key Location

    Datadog Documentation: https://docs.datadoghq.com/account_management/api-app-keys/#add-an-api-key-or-client-token

Figure: GCP Global Log Receiver Configuration

• In the GCP Bucket Name field, enter the name of the bucket into which the logs should be sent.

• Use the GCP Cloud Credentials drop-down menu to select an existing set of credentials. Alternatively select Add Item to create new credentials. For help creating new credentials, see Cloud Credentials.

Figure: HTTP Global Log Receiver Configuration

• Enter the URI for your HTTP receiver in the HTTP Uri field.

• Choose an authentication type from the Authentication drop-down menu.

  • None: no authentication will be performed.
  • Basic Authentication: Enter your login in the User Name field and click Configure to enter your password.
  • Token Authentication: Click Configure to enter your authentication token.

Figure: QRadar Global Log Receiver Configuration

Enter the URI for your QRadar receiver in the Log Source Collector URL field. For more information, refer to the following IBM document: https://www.ibm.com/docs/en/dsm?topic=options-http-receiver-protocol-configuration

Note: In some cases, multiple events will be sent to the global log receiver at once. The QRadar receiver needs to be told to split the events into multiple records. To do this, configure the Message Pattern field as follows:

Figure: QRadar Message Pattern Configuration

Figure: Kafka Global Log Receiver Configuration

• Enter a Kafka bootstrap server in the form of host:port into the Kafka Bootstrap Server List. Use the Add Item button to add additional pairs.

• Enter the Kafka topic name for the reported events.

Figure: NewRelic Log Receiver Configuration

• Select the endpoint thats applicable to your NewRelic account in the NewRelic Account Endpoint drop-down menu.

• Click Configure to setup the NewRelic license key.

  

  Figure: NewRelic License Key

  • Select Blindfolded Secret from the Secret Type drop-down menu.
  • Use the Action drop-down menu to select:
    • Use Blindfold Blindfolded Secret: Enter your NewRelic license key into the Blindfolded Secret field.
    • Blindfold New Secret: Select Built-in from the Policy Type drop-down menu and enter your NewRelic license key into the Secret to Blindfold field, or select Custom for the policy type and then choose a custom policy and enter your NewRelic license key.

Figure: Splunk Log Receiver Configuration

• Enter the Splunk HEC Logs Endpoint.

• Click Configure to setup the Splunk HEC token.

  

  Figure: Splunk License Key

  • Select Blindfolded Secret from the Secret Type drop-down menu.
  • Use the Action drop-down menu to select:
    • Use Blindfold Blindfolded Secret: Enter your Splunk HEC token into the Blindfolded Secret field.
    • Blindfold New Secret: Select Built-in from the Policy Type drop-down menu and enter your Splunk HEC token into the Secret to Blindfold field, or select Custom for the policy type and then choose a custom policy and enter your Splunk HEC token.

*Splunk Configuration Details.

According to a Splunk article, there are 2 different Splunk HEC URI:

• For Splunk Cloud customers, the standard HEC URI is: https://http-inputs-customer_stack.splunkcloud.com
  • Splunk Cloud customers do NOT need to specify port 8088, all HEC traffic goes over port 443.
• Fur customers using AWS Firehose, then you will have a second HEC URL: https://http-inputs-firehose-customer_stack.splunkcloud.com
• For customers running HEC on their own deployments or using the Splunk test drive instance, then port 8088 will need to be specified: https://input-prd-uniqueid.cloud.splunk.com:8088

In either of the scenarios, you can use the following command to validate the URL:

• In case of Splunk Cloud, enter %>nslookup http-inputs-<customer_stack>.splunkcloud.com

• In case of Splunk Test Drive, enter $ nslookup input-prd-uniqueid.cloud.splunk.com

Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/UsetheHTTPEventCollector

Figure: SumoLogic Log Receiver Configuration

• Click Configure to setup the SumoLogic Source Address URL.

  

  Figure: SumoLogic Source Address URL

  • Select Blindfolded Secret from the Secret Type drop-down menu.
  • Use the Action drop-down menu to select:
    • Use Blindfold Blindfolded Secret: Enter your SumoLogic HTTP collector URL into the Blindfolded Secret field.
    • Blindfold New Secret: Select Built-in from the Policy Type drop-down menu and enter your SumoLogic HTTP collector URL into the Secret to Blindfold field, or select Custom for the policy type and then choose a custom policy and enter your SumoLogic HTTP collector URL.