How To Configure ZeroLock® Management Console to Send Activity Data to Splunk Cloud and Sumo Logic

This article will walk through configuring the ZeroLock Management Console (ZMC) to send all data from the Activity Log to Splunk Cloud or Sumo Logic.

The data collected in an Activity Log is critical for system administrators in monitoring events, troubleshooting issues, and ensuring security. Everything from user activity, endpoint events, and information on alerts (Alert ID, Type of alert, links to specific alerts) is collected in the log. For example, an administrator can see detailed SSH-MFA alert data such as the success/failure of the attempts, the source IP address, and the hostname with the date and time of the event.


Configure the ZMC

To configure the ZMC for sending data to Sumo Logic or Splunk Cloud, go to System Configuration | System Settings then EDIT on the HTTP Transport section.

System Settings_HTTP Transport Edit_v3.1.19

Selecting EDIT brings up the HTTP Transport edit window. In this section information for Splunk Cloud and Sumo Logic is entered.

HTTP Section Edit-1


Splunk Cloud

ZeroLock uses Splunk’s HTTP Event Collector (HEC) to send data to Splunk. To create the HTTP Source collector from the Splunk console go to Settings | Data inputs and, in the HTTP Event Collector row, select Add New.

Configure the ZMC

  1. Enter the Hostname. This is the name of the Splunk server you plan to use. This can be found by looking at the URL when logging into your Splunk Cloud console.
    In this example, it is: prd-p-xo8sh.splunkcloud.com
    Splunk Server Image Circled
  2. Enter the Port. This is usually 443 for Splunk Cloud deployments by default or 8088 for a demo instance. In this example, it is: 8088
  3. Enter the Path. By default, this will usually be /services/collector/event
  4. Enter the Auth Header. This can be found by going to Settings | Data inputs in the Splunk Cloud console.Splunk AUTH Header_Console
    1. On the Data Inputs screen select the HTTP Event Collector.Splunk Data Inputs Selection
    2. This will list the Event Collectors that are configured, as shown below.HTTP Event Collector-1
    3. Copy the Token Value for the selected collector into the ZMC and append “Splunk” to the beginning of it.Token Value

      In this example, it is: Splunk Token Value Blur

  5. Check Enabled. This will enable HTTP Transport.HTTP Transport_Hostname_Splunk
  6. Click the UPDATE tab in the ZMC to save the entered settings.
Splunk HTTP Transport_UPDATE_2



Sumo Logic

Sumo Logic HTTPS Source collector must be set up allowing the ZeroLock Management Console (ZMC) to send data. Directions on creating and managing the HTTP Source collector can be found on the Sumo Logic knowledge base.

SumoLogic Setup Collection

  1. Configure the ZMC
    1. Enter the Hostname. This can be found by clicking Show URL from the configured collector in Sumo Logic.
      SumoLogic Collector Search_simple
      In this example, the URL is: Step 1 URL

      And the Hostname is collectors.fed.sumologic.com.

      Sumo HTTP Source Address_2
    2. Enter the Port. This should be 443 by default.
    3.  Enter the Path. This is part of the URL, after the Hostname, that was collected in step In this example, it is: SumoLogic Path Blurred
    4. Check Enabled for HTTP Transport and you have completed the HTTP Transport section.
      HTTP Transport SumoLogic
    5. Click the Update button in ZMC to save the entered settings.
      SumoLogic HTTP Transport Update


    You have successfully configured ZeroLock® Management Console to send activity data to Splunk Cloud and Sumo Logic.