- Advanced Analytics
- Understand the Basics of Advanced Analytics
- Configure Log Management
- Set Up Admin Operations
- Set Up Authentication and Access Control
- Additional Configurations
- Configure Rules
- Exabeam Threat Intelligence Service
- Threat Intelligence Service Prerequisites
- View Threat Intelligence Feeds
- Threat Intelligence Context Tables
- View Threat Intelligence Context Tables
- Assign a Threat Intelligence Feed to a New Context Table
- Create a New Context Table from a Threat Intelligence Feed
- Check ExaCloud Connector Service Health Status
- Exabeam Cloud Telemetry Service
- Manage Security Content in Advanced Analytics
- Health Status Page
Log Ingestion Settings
To configure log ingestion settings in Advanced Analytics:
In the sidebar, click SETTINGS
, then select Analytics.Under Log Management, select Log Ingestion Settings.
Log ingestion settings are different depending on which version of Advanced Analytics you are using. Click the appropriate links below for more information.
Log ingestion is handled via a unified ingestion pipeline (UIP). Visibility into the UIP is provided through the cloud-native Log Stream and Live Tail functionality.
Log data enters the UIP through a set of collector services. These services collect data from servers, applications, databases, and other devices across an infrastructure, whether the source is local, remote, or cloud-based.
In the UIP, the ingested logs are processed into events that conform to the hierarchical common information model. These events are then processed through a UIP Advanced Analytics Integration service that transforms them into events that are readable by Advanced Analytics.
For information about setting up specific collector services, see the following:
For third-party cloud sources, see Cloud Collectors.
For on-premises sources, see Site Collectors.
Log ingestion is handled by the LIME engine (Log Ingestion and Message Extraction). LIME can fetch data from SIEM log repositories or ingest it via Syslog. It normalizes the raw logs into events that the rest of the Advanced Analytics pipeline can process.
Currently, log ingestion is supported from the sources listed below.
|
|
|
On the Log Ingestion Settings page in Advanced Analytics, you can do the following:
Enable Syslog Ingestion
Configure Syslog Options
View Syslog Stats
Add a New Log Source
For Splunk and QRadar, log ingestion occurs via external APIs. Syslog is used for the other sources. For SIEM solutions, such as LogRhythm, McAfee ESM, and LogLogic, ingestion occurs via Syslog forwarding.
Note
The Syslog destination is your site collector IP/FQDN. Only TLS connections are accepted in port TCP/515.
For more information about about configuring log ingestion in this version of Advanced Analytics, see the following subsections:
View Insights about Syslog-Ingested Logs – Test the data pipeline of incoming logs.
Ingest Logs from Google Cloud Pub/Sub into Advanced Analytics – Configure Google Pub/Sub as a log source.
Set up a Log Feed – Configure log feeds from a SIEM source.