This article will walk through configuring the ZeroLock Management Console (ZMC) to send all data from the Activity Log to Splunk Cloud or Sumo Logic.
The data collected in an Activity Log is critical for system administrators in monitoring events, troubleshooting issues, and ensuring security. Everything from user activity, endpoint events, and information on alerts (Alert ID, Type of alert, links to specific alerts) is collected in the log. For example, an administrator can see detailed SSH-MFA alert data such as the success/failure of the attempts, the source IP address, and the hostname with the date and time of the event.
Configure the ZMC
To configure the ZMC for sending data to Sumo Logic or Splunk Cloud, go to System Configuration | System Settings then EDIT on the HTTP Transport section.
Selecting EDIT brings up the HTTP Transport edit window. In this section information for Splunk Cloud and Sumo Logic is entered.
Splunk Cloud
ZeroLock uses Splunk’s HTTP Event Collector (HEC) to send data to Splunk. To create the HTTP Source collector from the Splunk console go to Settings | Data inputs and, in the HTTP Event Collector row, select Add New.
Configure the ZMC
- Enter the Hostname. This is the name of the Splunk server you plan to use. This can be found by looking at the URL when logging into your Splunk Cloud console.
In this example, it is: prd-p-xo8sh.splunkcloud.com - Enter the Port. This is usually 443 for Splunk Cloud deployments by default or 8088 for a demo instance. In this example, it is: 8088
- Enter the Path. By default, this will usually be /services/collector/event
- Enter the Auth Header. This can be found by going to Settings | Data inputs in the Splunk Cloud console.
- On the Data Inputs screen select the HTTP Event Collector.
- This will list the Event Collectors that are configured, as shown below.
- Copy the Token Value for the selected collector into the ZMC and append “Splunk” to the beginning of it.
In this example, it is:
- Check Enabled. This will enable HTTP Transport.
- Click the UPDATE tab in the ZMC to save the entered settings.
Sumo Logic
Sumo Logic HTTPS Source collector must be set up allowing the ZeroLock Management Console (ZMC) to send data. Directions on creating and managing the HTTP Source collector can be found on the Sumo Logic knowledge base.
- Configure the ZMC
- Enter the Hostname. This can be found by clicking Show URL from the configured collector in Sumo Logic.
In this example, the URL is:
And the Hostname is collectors.fed.sumologic.com.
- Enter the Port. This should be 443 by default.
- Enter the Path. This is part of the URL, after the Hostname, that was collected in step In this example, it is:
- Check Enabled for HTTP Transport and you have completed the HTTP Transport section.
- Click the Update button in ZMC to save the entered settings.
You have successfully configured ZeroLock® Management Console to send activity data to Splunk Cloud and Sumo Logic.
- Enter the Hostname. This can be found by clicking Show URL from the configured collector in Sumo Logic.