ZeroLock Management Console - ZMC
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. ZeroLock Management Console - ZMC

      How to Configure ZeroLock® Management Console to Send Activity Data to Splunk Cloud, Sumo Logic, and Microsoft Sentinel

      This article will walk through configuring the ZeroLock Management Console (ZMC) to send all data from the Activity Log to Splunk Cloud, Sumo Logic, and Microsoft Sentinel via Log Analytics Workspace.

      The data collected in an Activity Log is critical for system administrators in monitoring events, troubleshooting issues, and ensuring security. Everything from user activity, endpoint events, and information on alerts (Alert ID, Type of alert, links to specific alerts) is collected in the log. For example, an administrator can see detailed SSH-MFA alert data such as the success/failure of the attempts, the source IP address, and the hostname with the date and time of the event.

      Configure the ZMC

      To configure the ZMC for sending data to Sumo Logic or Splunk Cloud, go to System Configuration | System Settings, then EDIT on the HTTP Transport section.

      Image_1_System Settings Main Page_KB_v4.1.10

      Selecting EDIT brings up that section’s edit screen.

      Image_2_HTTP Transport Section_v4.1.10

      Splunk Cloud

      ZeroLock uses Splunk’s HTTP Event Collector to send data to Splunk. To create the HTTP Source collector from the Splunk console, go to Settings | Data inputs and select Add New in the HTTP Event Collector row.

      Step_3_Splunk Data Inputs Selection

      Configure the ZMC

      1. Enter the Hostname. This is the name of the Splunk server you plan to use. This can be found by looking at the URL when logging into your Splunk Cloud console.

        In this example, it is: prd-p-xo8sh.splunkcloud.comSplunk Server Image Circled-1

      2. Enter the Port. By default, this is usually 443 for Splunk Cloud deployments or 8088 for a demo instance. In this example, it is: 8088.
      3. Enter the Path. By default, this will usually be /services/collector/event
      4. Enter the Auth Header. This can be found by going to Settings | Data inputs in the Splunk Cloud console.Splunk AUTH Header_Console-1
        1. On the Data Inputs screen, select the HTTP Event Collector.Splunk Data Inputs Selection-2
        2. This will list the Event Collectors configured, as shown below.HTTP Event Collector-2
        3. Copy the Token Value for the selected collector into the ZMC and append “Splunk” to the beginning of it.Token Value-1

          In this example, it is:

          Splunk Token Value Blur_KB

      5. Check ENABLED.  This enables the HTTP Transport.Step_5_HTTP Transport_Hostname_Splunk_v4.1.10-2

        Image Below Step 5 NOTE_v4.1.10

      6. Click the UPDATE in the ZMC to save the settings.Step_6_HTTP Transport_Splunk_UPDATE_v4.1.10

      You have successfully configured the ZMC to write to the Syslog using Splunk.


      Sumo Logic

      Sumo Logic HTTPS Source collector must be set up to allow the ZeroLock Management Console (ZMC) to send data. Directions on creating and managing an HTTPs Source collector can be found on the Sumo Logic knowledge base.Step_1_SumoLogic Setup Collection

      Configure the ZMC

      1. Enter the Hostname. This is the name of the Splunk server you plan to use. This can be found by clicking Show URL from the configured collector in Sumo Logic. Step_1_A_SumoLogic Collector Search_simple
        In this example, the URL is:Step 1 URL-1

        The Hostname is collectors.fed.sumologic.com.

        Step_1_C_HTTP Source Address
      2. Enter the Port. This should be 443 by default.
      3. Enter the Path. This is part of the URL, after the Hostname, that was collected in step 1. In this example, it is:Step_3_SumoLogic Path Blurred
      4. Check ENABLED for HTTP Transport, and you have completed the HTTP Transport section.Step_4_HTTP Transport SumoLogic_V4.1.10

      5. Click the Update button in ZMC to save the entered settings.
      Step_5_SumoLogic HTTP Transport Update_v4.1.10

      Microsoft Sentinel

      1. Enter the Hostname. The value is: https://<workspace-id>.ods.opinsights.azure.com, where <workspace-id> is replaced by the actual id for the workspace. This can be retrieved from the agent's settings for the workspace in Azure here:Step_1_Enter Hostname
        For example, if the workspace id is: 2f8b4e90-3a13-4d3b-91a9-5d9e6a71b9e4, then the hostname value would be: https://2f8b4e90-3a13-4d3b-91a9-5d9e6a71b9e4.ods.opinsights.azure.com
      2. Enter the port. This value is usually: 443.
      3. Make sure that Use TLS is checked.
      4. Enter this for the path: /api/logs?api-version=2016-04-01
      5. Enter the MS Workspace ID. This was retrieved in step 1.
      6. Enter the MS Primary Key.  This can be retrieved from the agent settings for the workspace in Azure here:Step_6_MS Primary Key-1

        Example Primary Key: rL3mU8j+5kYqX4pU9sWvZmP3AvqK/XLK1Yf4Vn9Ns14FoO0KYZKx0UOiX3AvcFqvP3Y3s5OJoW2f4Wv8dz9kOg==

      7. With these examples, your ZMC HTTP Transport section should look like this:Step_7_HTTP Transport_v4.1.10
      8.  When these events are sent, a table (ZMCLog_CL) will be added to the Custom Logs section in Azure under the Logs category in Log Analytics Workspace.Step_8_ZMC_Log_CL
      9.  After selecting this table in Azure, you should see data as it is sent to the Log Analytics Workspace from the ZMC.Step_9_Azure

      You have successfully configured ZeroLock® Management Console to write to Splunk Cloud, Sumo Logic, and Microsoft Sentinel.