Re: How to forward logs from the source to the for...

Vivekram_RS · 09-19-2023 12:43 AM

Hi All,
I'm currently in the process of integrating the forwarder with the SIEM system.
I've successfully installed the forwarder on my Ubuntu machine, and I also have administrative access to the SIEM platform. Could someone please provide guidance on how to forward logs from the source to the forwarder and then from the forwarder to the SIEM? If there's any documentation or a guide available, I would greatly appreciate it. Thank you in advance.

View files in slack

Daniel_Love

You will need to use the Chronicle CLI to create a forwarder configuration.
https://cloud.google.com/chronicle/docs/administration/cli-user-guide

Vivekram_RS

@Daniel_Love thank you for sharing the doc. Is there any doc we can refer for doing this is GUI?

Daniel_Love

Here you go
https://cloud.google.com/chronicle/docs/install/forwarder-management-configurations

Vivekram_RS

Thank you. Yeah I found this and used to integrate few logs via Syslog.

Vivekram_RS

Trying to do more like a "log file"

Daniel_Love

I havent used the forwarder file setting for log ingestion yet. We use NXlog to monitor log files and have it send the logs to the Chronicle forwarder.
Their documentation explains how to use NXlog.
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-ad

Vivekram_RS

Thank you @Daniel_Love for the update

Jared_Bloomberg

It looks like you are trying to pull in Windows logs based on your screenshots, I would review the docs

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-events

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

How to forward logs from the source to the forwarder and then from the forwarder to the SIEM?