Log Shipper Module

Log Shipper Module

Log Shipper is a logging service that pulls all or a subset of customer tenant events and alerts logs and sends them in a customized, customer-selected format to its SIEM and datalake(s) using either the mapping wizard or the raw editor. Use either tool to add or remove fields, change mappings, change field headers, transform field extended attributes, or insert static placeholders to meet your specific log requirements.

Click play to learn how to set up Log Shipper.

Log Shipper Global Settings

Only Admins can change Log Shipper Global Settings. Go to Settings > Log Shipper. There are two tabs: General and Mappings.

On the General tab, you can retry configuration for log delivery from Log Shipper to a destination SIEM.

  • Default (3 Retries):
    • In the event of a failed log delivery from Log Shipper to a destination SIEM, Log Shipper will initiate 3 attempts to push the logs to the destination SIEM.
    • If ALL 3 retry attempts FAIL, the corresponding batch of logs will be discarded by Log Shipper.
  • Retry till Successful Delivery: Unlimited retries till successful delivery of logs. This may impact overall Cloud Exchange performance, including other Cloud Exchange modules likeTicket Orchestrator, Threat Exchange, etc.
    • In the event of a failed log delivery from Log Shipper to a destination SIEM, Log Shipper will indefinitely retry till successful log delivery to the destination SIEM.

Use the Mapping tab to manage your Log Shipper Mapping files. 

You can also create a new mapping file to be invoked by a configured plugin as an alternative to the defaults provided. In the Wizard view, you can modify the mapping file to enable the addition, deletion, or modification of new fields to the default.

Note

Amazon S3, Azure Blob, and nGoogle GCS plugins for WebTx logs can not be edited. These plugins push the original .gzip files obtained from Netskope to the cloud service providers without decompressing or modifying the content.

  1. Click Add Mapping File button (or the Copy icon) from any of the default mapping file.
  2. Enter a Name.
  3. Select the Wizard radio button.
  4. From the Alerts/Event tab, expand the Alert/Event row.
  5. From Header expand, select the Netskope field for each Target field & Edit Default value if required. The new fields coming from new alerts/events will be added in Netskope field. The newly available fields will also be shown in notifications as well as in Netskope CE logs.
  6. You can delete the alert/event value row from wizard by clicking on Delete icon which are not required
  7. You can also delete a target field as well by clicking on Delete icon.

  8. From Extension expand, select a Transformation for each Target field & Enter Default value.
  9. Delete the alert value & Target field value row as well from Delete icon. Click Extension Expand.

  10. Add a New Alert/event field on clicking Add Alert Field.

  11. Enter a Field name & click Add.

  12. Enter New added Alert field and add Target field & default value for respected Netskope field mapping & click on Add button.

  13. Click WebTx the tab and select Header & Extensions Target fields with respected Netskope field, and also can delete the same as above. You can delete the WebTx field by clicking Delete.
  14. Click on Editor radio button to add/edit/delete the Event & alert name from window format.
  15. Click Save.

  16. You can download the custom or default mapping file from the download icon from list & can upload the same from Load from file option on Create mapping file window and click Save.

  17. You can enable the toggle button displayed in the CLS plugin configuration (which are supporting this functionality to send the data in JSON to the SIEM) to send the data in JSON format without transforming the data using Default Mapping file. There is a functionality to send specific fields only to the target SIEM, user can select the number of fields they want to send using the CLS Mapping wizard.

Share this Doc

Log Shipper Module

Or copy link

In this topic ...