Ingest Kemp LoadMaster Data into Cloud SIEM
To ingest Kemp LoadMaster data into Cloud SIEM:
- Configure a Syslog source on a collector. When you configure the source, do the following:
- Click the +Add Field link, and add a field whose name is
_siemForwardand value is true. This will ensure all logs for this source are forwarded to Cloud SIEM. - Add another field named
_parserwith value /Parsers/System/Kemp/Kemp LoadMaster Syslog. This ensures that the Kemp LoadMaster logs are parsed and normalized into structured records in Cloud SIEM.noteThe Sumo Logic parser for Kemp LoadMaster logs primarily supports wafd (Web Application Firewall daemon) logging and various l4d (Layer 4 Load Balancing daemon) log messages. Other messages will parse, but a parser local configuration might be required to actually extract all fields.
- Click the +Add Field link, and add a field whose name is
- Follow the instructions provided on the Kemp support site to configure syslog logging. While this linked page only focuses on unexpected reboot logs, the process for enabling other log types is the same. See Configure forwarding to a Syslog Source for general instructions to configure forwarding to a syslog source.
- To verify that your logs are successfully making it into Cloud SIEM:
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings. - On the Log Mappings tab search for "Kemp" and check the Records column. A list of mappers for Kemp will appear and you can see if logs are coming in.
- For a more granular look at the incoming records, you can also search the Sumo Logic platform for Kemp security records:
_index=sec_record* and metadata_product = "LoadMaster"
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.