Using Humio Log Management as the Heart of a SIEM

Enhance your security by logging everything

This blog was originally published March 11, 2020 on Humio is a CrowdStrike Company.

SIEMs are powerful tools for monitoring your system for threats, but many simply track pre-selected data, leaving blind spots in your monitoring. Due to the ways SIEMs add indexes to your data, increasing file sizes and processing times, they often make it prohibitively expensive to ingest and store all logs.

Humio’s index-free log management provides a solution that fills in the gaps, logs everything, and realizes real-time observability for your whole system while cutting down on the costs of ingesting all data. But how do you incorporate Humio alongside your current SIEM? The answer is slightly different for each SIEM, but the outline for the process involves:

  1. Enabling log forwarding in your SIEM
  2. Adding Humio in your SIEM as a Log Receiver
  3. Chose which logs to send to Humio
  4. Set up a log shipper (only necessary for cloud users)

1. Enable log forwarding

Go into your SIEM and enable log forwarding. It’s likely turned off by default. It’s possible your SIEM does not have log forwarding, in which case, you’ll have to wait for Humio to build out the log forwarding option.

2. Add Humio as a log receiver

To designate Humio as a Log Receiver in your SIEM takes just a few clicks. The easiest port to set it up on is UDP or TCP port 514. Though Humio is able to ingest a wide variety of formats including logs and alerts from your SIEM, it’s possible your data will not work in its raw format. If you’re a Splunk user, you have to turn off endpoint monitoring to make it work.

3. Configure which logs you’ll send to Humio

At this point, you can choose to forward all your logs or a subset to Humio. It is strongly recommended to send all logs to Humio because of Humio’s low license cost and hardware requirements. Humio has streaming search capabilities, 5-15x compression, and the ability to search live logs and historical logs in seconds. Alternatively, you can forward the logs that you aren’t using in your SIEM for complete observability and to provide instant searching for logs not used by your SIEM.

4. Set up a log shipper (only necessary on cloud)

For sending logs from a SIEM that’s operating in the cloud, there’s another necessary step of setting up a log shipper. Log shippers protect against transmission errors that can happen while transferring data from the cloud by handling buffering and retransmitting lost messages. Any Humio-compatible option will work. We recommend using FileBeat from the Elastic Beats because it is a mature and modern option.

Contact us to get started

Each system is different and may involve a variety of integrations, ports, and formats. Not all SIEMs have log shipping or are 100% compatible with Humio, so be sure to engage our helpful Humio staff in a conversation on Slack to determine what it will take to get it running alongside your current SIEM.

Get started today and discover insights about your system your SIEM was missing all along!

Related Content