Single Sensor Multi-tenant Log Ingestion

For multi-tenant deployments, you typically configure a single modular sensor to ingest logs from separate tenants. Optionally, you can consolidate this task to a single sensor. The details below identify which vendors log files are currently supported for this feature, along with the associated configuration steps.

Requirements

The capability for this feature must be specifically enabled. As of v4.3.1 the functionality is off by default and must be toggled on in the Sensor Profile. To enable it, access the Log Forwarder section of your Standard Sensor profile, then locate the toggle for Multi-Tenant Log Ingestion. After it is enabled, you can send data from the following vendors:

  • These include the Tenant ID field needed to support this feature:

    • Infocyte (CEF), port 5143 

    • Blackberry Cylance, port 5177

  • These are supported for use on port 5564 if submitted in the Stellar JSON format indicated below.

    • Palo Alto Networks Firewall (syslog, cef, leef)

    • SonicWall Firewall (syslog or cef)

    • Cisco Meraki (syslog)

    • Fortinet Fortigate (syslog)

Stellar JSON Format for Multi-Tenant Parsing

This required format consists of four parts:

  • stellar: This required field is used to specify that the file is in Stellar Cyber format.

  • tenantid: Specify the tenant ID. If this value is not present, the Tenant ID associated with the sensor is used.

  • msg_origin: This wrapper label is required for parsing on the multi-tenant port. Use the following table for guidance with the relevant fields.

    Vendor

    Product

    Format

    palo_alto_networks

    firewall

    syslog

    cef

    leef

    sonicwall

    firewall

    syslog

    cef

    cisco

    meraki

    syslog

    fortinet

    fortigate

    syslog

    • vendor and product: Both of these values in the msg_origin block are required. They are used to identify which Stellar Cyber parser will handle the original log

    • format: If this value is not present, syslog is used

    • srcip: This value should be the IP address of the original log source.  It is optional, but including it results in better log ingestion statistics.

  • parser_raw_msg: If this required content is missing, the record is discarded.

    Since the raw data is wrapped in double quotes, ensure that the pre-processor you use to create this record injects an escape before all double quotes in the original log file.

The field labels are illustrated here:

{
  "stellar": {
    "tenantid": " ",
    "msg_origin": {
      "vendor": " ",
      "product": " ",
      "format": " ",
      "srcip": " "
    }
  },
  "parser_raw_msg":"  "
}

An example Stellar JSON record is shown here (data is truncated)

{
  "stellar": {
    "tenantid": "12345678",
    "msg_origin": {
      "vendor": "palo_alto_networks",
      "product": "firewall",
      "format": "syslog",
      "srcip": "192.168.100.74"
    }
  },
  "parser_raw_msg":"<134>Nov 11 2020 21:55:21 ..."
}