Log streaming

Log streaming lets you stream configuration or network flow logs into a security information and event management (SIEM) system. You can stream logs into a SIEM to help detect and respond to security threats, set up alerting and monitoring rules, etc.

Currently supported SIEM systems are Splunk, through an HTTP Event Collector, and Elasticsearch Logstash, through a data stream.

Log streaming is available for the Enterprise plan.
Log streaming is currently in beta.

Prerequisites

You need a SIEM endpoint and credentials from your SIEM vendor. Consult your SIEM vendor’s documentation for how to get an endpoint and API credentials.

Configuration audit log streaming

Log streaming lets you stream configuration audit logs into a security information and event management (SIEM) system. You can stream logs into a SIEM to help detect and respond to security threats, set up alerting and monitoring rules, etc.

Log streaming is available for the Enterprise plan.
Adding a configuration log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to add and configure a streaming destination.

  1. Open the Configuration logs page of the admin console.
  2. Click Start streaming.
  3. In the Start streaming configuration logs dialog:
    1. Select a SIEM destination.
    2. For URL, enter your SIEM endpoint. The endpoint URL must use the HTTPS protocol, and there is no restriction on which port is used. Splunk’s HTTP Endpoint Connectors require an endpoint ending with /services/collector/event. Elasticsearch’s data streams require an endpoint ending with <stream_id>/_bulk?pretty.
    3. If your SIEM system requires a value for Username, enter the SIEM username.
    4. For Token, enter the SIEM API token.
  4. Click Start streaming.
A screenshot of the Start streaming configuration logs dialog

Check your SIEM system to verify you are successfully streaming from your tailnet.

Depending on network conditions, there may be a delay before you can see the log streaming in your SIEM system.
Changing a configuration log streaming destination

You can change the SIEM endpoint and the SIEM API token for a streaming system. You can also change the SIEM username, if a username is used for your SIEM system.

You need to be an Owner, Admin, Network admin, or IT admin to change the configuration of a streaming destination.

  1. Open the Configuration logs page of the admin console.
  2. For the SIEM system that you want to update, click the Action dropdown, then click Edit.
  3. Update the value for Destination, URL, Token, and/or Username.
  4. Click Update endpoint.
Deleting a configuration log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to delete a streaming destination.

  1. Open the Configuration logs page of the admin console.
  2. For the SIEM system that you want to delete, click the Action dropdown, then click Delete.
  3. In the confirmation dialog, click Delete.

Network flow log streaming

Adding a network log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to add a streaming destination.

  1. If you haven’t already, enable Network flow logs for your tailnet.
  2. Open the Network flow logs page of the admin console.
  3. Click Start streaming.
  4. In the Start streaming network logs dialog:
    1. Select a SIEM destination.
    2. For URL, enter your SIEM endpoint. The endpoint URL must use the HTTPS protocol, and there is no restriction on which port is used. Splunk’s HTTP Endpoint Connectors require an endpoint ending with /services/collector/event Elasticsearch’s data stream endpoints end with <stream_id>/_bulk?pretty.
    3. If your SIEM system requires a value for Username, enter the SIEM username.
    4. For Token, enter the SIEM API token.
  5. Click Start streaming.
A screenshot of the Start streaming network logs dialog

Check your SIEM system to verify you are successfully streaming from your tailnet.

Depending on network conditions, there may be a delay before you can see the log streaming in your SIEM system.
Changing a network log streaming destination

You can change the SIEM endpoint and the SIEM API token for a streaming system. You can also change the SIEM username, if a username is used for your SIEM system.

You need to be an Owner, Admin, Network admin, or IT admin to change the configuration of a streaming destination.

  1. Open the Network flow logs page of the admin console.
  2. For the SIEM system that you want to update, click the Action dropdown, then click Edit.
  3. Update the value for Destination, URL, Token, and/or Username.
  4. Click Update endpoint.
Deleting a network log streaming destination

You need to be an Owner, Admin, Network admin, or IT admin to delete a streaming destination.

  1. Open the Network flow logs page of the admin console.
  2. For the SIEM system that you want to delete, click the Action dropdown, then click Delete.
  3. In the confirmation dialog, click Delete.

Last updated