Single Sensor Multi-tenant Log Ingestion
For multi-tenant deployments, you typically configure a single modular sensor to ingest logs from separate tenants. Optionally, you can consolidate this task to a single sensor. The details below identify which vendors log files are currently supported for this feature, along with the associated configuration steps.
Requirements
The capability for this feature must be specifically enabled. As of v4.3.1 the functionality is off by default and must be toggled on in the Sensor Profile. To enable it, access the Log Forwarder section of your Standard Sensor profile, then locate the toggle for Multi-Tenant Log Ingestion. After it is enabled, you can send data from the following vendors:
-
These include the Tenant ID field needed to support this feature:
-
Infocyte (CEF), port 5143
-
Blackberry Cylance, port 5177
-
-
These are supported for use on port 5564 if submitted in the Stellar JSON format indicated below.
-
Palo Alto Networks Firewall (syslog, cef, leef)
-
SonicWall Firewall (syslog or cef)
-
Cisco Meraki (syslog)
-
Fortinet Fortigate (syslog)
-
Stellar JSON Format for Multi-Tenant Parsing
JavaScript Object Notation (JSON) is a lightweight data interchange format that's easy for humans to read and write, and easy for machines to parse and generate. It consists of two primary structures: a collection of name/value pairs and an ordered list of values. If you're interested in learning more about JSON, here are some useful resources:
-
For an introduction to JSON, see Introducing JSON.
-
For a basic reference, see JSON.
-
For a JSON error correction and validation tool, see JSONLint Validator and Formatter.
This required format consists of four parts:
-
stellar: This required field is used to specify that the file is in Stellar Cyber format.
-
tenantid: Specify the tenant ID. If this value is not present, the Tenant ID associated with the sensor is used.
-
msg_origin: This wrapper label is required for parsing on the multi-tenant port. Use the following table for guidance with the relevant fields.
Vendor
Product
Format
palo_alto_networks
firewall
syslog
cef
leef
sonicwall
firewall
syslog
cef
cisco
meraki
syslog
fortinet
fortigate
syslog
-
vendor and product: Both of these values in the msg_origin block are required. They are used to identify which Stellar Cyber parser will handle the original log
-
format: If this value is not present, syslog is used
-
srcip: This value should be the IP address of the original log source. It is optional, but including it results in better log ingestion statistics.
-
-
parser_raw_msg: If this required content is missing, the record is discarded.
Since the raw data is wrapped in double quotes, ensure that the pre-processor you use to create this record injects an escape before all double quotes in the original log file.
The field labels are illustrated here:
{ "stellar": { "tenantid": " ", "msg_origin": { "vendor": " ", "product": " ", "format": " ", "srcip": " " } }, "parser_raw_msg":" " }
An example Stellar JSON record is shown here (data is truncated)
{ "stellar": { "tenantid": "12345678", "msg_origin": { "vendor": "palo_alto_networks", "product": "firewall", "format": "syslog", "srcip": "192.168.100.74" } }, "parser_raw_msg":"<134>Nov 11 2020 21:55:21 ..." }