Collecting Logs from Cisco Umbrella

Role Availability Read-Only Investigator Analyst Manager

To fully integrate USM Anywhere with your Cisco Umbrella (formerly, OpenDNS) implementation, you should configure log collection so that USM Anywhere can retrieve and normalize Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from Cisco Umbrella. The combination of the Cisco Umbrella data source integration and configuration of the AlienApp for Cisco Umbrella provides a full scope of data and analysis within USM Anywhere.

Important: The AlienApp collects logs through an Amazon Simple Storage Service (S3) bucket. Therefore, you must have a Cisco Umbrella package that supports Amazon S3 log management. See Cisco Umbrella Packages page for more information.

Amazon S3 Log Management

Before USM Anywhere can collect the Cisco Umbrella log data, you must set up Amazon S3 log management in your Cisco Umbrella deployment. This requires that you have a self-managed Amazon S3 bucket in an AWS account that is configured to accept uploads from the Cisco Umbrella Service. See the Cisco Umbrella Documentation Enable Logging to Your Own S3 Bucket for detailed information about this configuration.

Note: USM Anywhere currently does not support the Cisco-managed buckets in Amazon S3.

To verify Amazon S3 log management in Cisco Umbrella

  1. Log in to the Cisco Umbrella (OpenDNS) dashboard.
  2. Go to Settings > Log Management.
  3. Click Amazon S3.
  4. In the Bucket Name field, enter the exact Amazon S3 bucket name.

  5. Click Verify.

    A confirmation message in the dashboard indicates that the bucket has been successfully verified.

Scheduling Log Collection

After you verify that Cisco Umbrella is configured to send log data to an Amazon S3 bucket for an account where you have a deployed USM Anywhere Sensor, you can set up a log collection job for USM Anywhere to retrieve that data.

Note: If you want to deploy a sensor to facilitate Cisco Umbrella log collection, see AWS Sensor Deployment.

To schedule Cisco Umbrella log collection

  1. Go to Settings > Scheduler.

  2. In the left navigation menu, click Log Collection.

    Note: You can use the Sensor filter at the top of the list to review the available log collection jobs on your AWS Sensor.

  3. Click Create Log Collection Job.

    Click Create Log Collection Job to add a scheduled log collection job

    Note: If you have recently deployed a new USM Anywhere Sensor, it can take up to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the AWS log collection jobs you want before the system collects the log data.

    The Schedule New Job dialog box opens.

    Schedule New Job Dialog Box

  4. Enter the name and description for the job.

    The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.

    Enter a name and description for the new job

  5. For the Action Type option, select Amazon Web Services.
  6. If you have more than one deployed USM Anywhere Sensor, select the Sensor on which the job should run.

  7. For the App Action option, select Monitor S3 bucket.

    Select the Monitor S3 Bucket app action

  8. In the Bucket Name field, enter the name of the Amazon S3 bucket that is configured in Cisco Umbrella log management.
  9. In the Path field, enter the path on the bucket where the logs reside (in this case, dnslogs/).
  10. For the Source Format option, select raw.

  11. For the Data Source option, select Cisco Umbrella.

    Set Monitor S3 Bucket options for collecting the Cisco Umbrella log data

  12. In the Schedule section, specify when USM Anywhere runs the job:

    1. Select the increment as Minute, Hour, Day, Week, Month, or Year.

      Warning: After a frequency change, monitor the system to check its performance. For example, you can check the system load and CPU. See USM Anywhere System Monitor for more information.

    2. Set the interval options for the increment.

      The selected increment determines the available options. For example, on a weekly increment, you can select the days of the week to run the job.

      Set the schedule for the job to run each week

      Or on a monthly increment, you can specify a date or a day of the week that occurs within the month.

      Set the schedule for the job to run each month

      3. Important: USM Anywhere restarts the schedule on the first day of the month if the option "Every x days" is selected.

    3. Set the start time.

      This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (the default is Coordinated Universal Time [UTC]).

  13. Click Save.

    You should start seeing new Cisco Umbrella events in USM Anywhere shortly after the initial raw log data collection and normalization.