Management Console - ZMC
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Management Console - ZMC

      How to Configure ZeroLock® Management Console to Send Activity Data to Splunk Cloud and Sumo Logic

      This article will walk through configuring the ZeroLock Management Console (ZMC) to send all data from the Activity Log to Splunk Cloud or Sumo Logic.

      The data collected in an Activity Log is critical for system administrators in monitoring events, troubleshooting issues, and ensuring security. Everything from user activity, endpoint events, and information on alerts (Alert ID, Type of alert, links to specific alerts) is collected in the log. For example, an administrator can see detailed SSH-MFA alert data such as the success/failure of the attempts, the source IP address, and the hostname with the date and time of the event.

      Configure the ZMC

      To configure the ZMC for sending data to Sumo Logic or Splunk Cloud, go to System Configuration | System Settings then EDIT on the HTTP Transport section.

      Step_1_System Settings_Edit_v3.1.19

      Selecting EDIT brings up that section’s edit screen.

      Step_2_HTTP Section Edit

      Splunk Cloud

      ZeroLock uses Splunk’s HTTP Event Collector to send data to Splunk. To create the HTTP Source collector from the Splunk console go to Settings | Data inputs and, in the HTTP Event Collector row, select Add New.

      Step_3_Splunk Data Inputs Selection

      Configure the ZMC

      1. Enter the Hostname. This is the name of the Splunk server you plan to use. This can be found by looking at the URL when logging into your Splunk Cloud console.

        In this example, it is: prd-p-xo8sh.splunkcloud.comSplunk Server Image Circled-1

      2. Enter the Port. By default, this is usually 443 for Splunk Cloud deployments or 8088 for a demo instance. In this example, it is: 8088.
      3. Enter the Path. By default, this will usually be /services/collector/event
      4. Enter the Auth Header. This can be found by going to Settings | Data inputs in the Splunk Cloud console.Splunk AUTH Header_Console-1
        1. On the Data Inputs screen select the HTTP Event Collector.Splunk Data Inputs Selection-2
        2. This will list the Event Collectors that are configured, as shown below.HTTP Event Collector-2
        3. Copy the Token Value for the selected collector into the ZMC and append “Splunk” to the beginning of it.Token Value-1

          In this example it is:

          Splunk Token Value Blur_KB

      5. Check ENABLED.  This enables the HTTP Transport.HTTP Transport_Hostname_Splunk-1
      6. Click the UPDATE in the ZMC to save the settings.Step_6_Splunk HTTP Transport_UPDATE_1

      You have successfully configured the ZMC to write to the Syslog using Splunk.


      Sumo Logic

      Sumo Logic HTTPS Source collector must be set up allowing the ZeroLock Management Console (ZMC) to send data. Directions on creating and managing the HTTPs Source collector can be found on the Sumo Logic knowledge base.Step_1_SumoLogic Setup Collection

      Configure the ZMC

      1. Enter the Hostname. This is the name of the Splunk server you plan to use. This can be found by clicking Show URL from the configured collector in Sumo Logic. Step_1_A_SumoLogic Collector Search_simple
        In this example, the URL is:Step 1 URL-1

        The Hostname is collectors.fed.sumologic.com.

        Step_1_C_HTTP Source Address
      2. Enter the Port. This should be 443 by default.
      3. Enter the Path. This is part of the URL, after the Hostname, that was collected in step In this example, it is:Step_3_SumoLogic Path Blurred
      4. Check ENABLED for HTTP Transport and you have completed the HTTP Transport section.Step_4_HTTP Transport SumoLogic

      5. Click the Update button in ZMC to save the entered settings.
      Step_5_SumoLogic HTTP Transport Update

      You have successfully configured ZeroLock® Management Console to write to Splunk Cloud and Sumo Logic.