Generic SIEM Integration

Receiving logs using our pre-built, generic docker container based on FluentD

Overview

The general and most generic way of receiving logs from Control D's SIEM output integration is by deploying our pre-built docker container.

This container securely terminates log data sent from our network to yours, and forwards it on to a SIEM tool within your network.

Pre-Requisites

Customer Side

  • Hardware
    • Virtual Machine, VPS, or Baremetal Server (X86 architecture)
  • Operating System
    • Linux Distribution (capable of running Docker Containers / Docker CE)
  • Networking
    • Public IP address (For securely receiving logs from our SIEM integration output over the internet)

      ❗️

      If this IP is dynamic, you must provide us with a DNS record below!

    • Internal network access to your SIEM system (For forwarding logs received into your system)
  • Firewall / Container Port Mappings
    • Permit inbound traffic on tcp/24224 to the docker container

Submitting Details to Support

Please provide Control D Support with your:

  • Public IP address
  • [Optional] DNS record (if the public IP is prone to changing / dynamic)

Installation

  1. Install Docker Engine on the host. Instructions Link

  2. Upload the config bundle to the host

    scp yourbundle.tar.gz your-linux-host.example.com:/tmp/	
    
  3. Extract the config + container bundle:

    mkdir logs-receiver
    tar -xvf /tmp/yourbundle.tar.gz -C logs-receiver
    
  4. Start the container (interactively at first for testing)

    cd logs-receiver
    docker compose up
    
  5. Confirm that logs are arriving (they won't be going anywhere yet!)

  6. Modify the configuration logs-receiver/fluent-bit.yaml and update the outputs: section to add your desired logs destination.

    See https://docs.fluentbit.io/manual/pipeline/outputs for instructions

    fluent-bit supports a wide variety of log collectors, including ELK, Datadog and Splunk

    Example: Splunk

    outputs:
      - name: splunk
        host: splunk.example.com                           # Modify 
        splunk_token: 55555555-5555-5555-5555-555555555555 # Modify
        port: 8088                                         # Modify
        tls: on                                            # Modify
        tls.verify: on                                     # Modify
    
  7. Start the container in daemon mode so it continues running when you close your shell:

    docker compose up --detach
    
  8. Please notify the Control D support team to confirm that you are receiving logs successfully!

Troubleshooting

  • If your destination system does not receive logs, check the running fluent-bit instance for errors:
    docker compose logs --follow
    
  • If needed, restart the container with:
    docker compose up --force-recreate --detach