Skip to main content
Version: Next

Integration with SentinelOne (DataSet)

You can integrate NetFlow Optimizer with SentinelOne (DataSet) by sending data over UDP protocol in Syslog format to the Scalyr Agent, which can be installed on NFO machine or on a separate host or VM.

Installation Steps

  1. Obtain API key
  2. Install Scalyr Agent
  3. Configure Log Collection in the Agent
  4. Configure the Parser
  5. Configure NFO Output

Obtain API key

Visit (https://app.scalyr.com/help/api-keys) and generate a "Log Write Access" API Key for your account.

Install Scalyr Agent

For information on Scalyr Agent and installation instructions, visit (https://app.scalyr.com/help/install-agent-linux).

During the installation use the API key created in step 1.

Configure Log Collection in the Agent

Edit /etc/scalyr-agent-2/agent.json and in monitor section add:

   {
module: "scalyr_agent.builtin_monitors.syslog_monitor",
protocols: "udp:515",
accept_remote_connections: true,
message_log: "nfo.log", //send NFO logs here
parser : "NFO"
}

so it would look like this:

   monitors: [
{
module: "scalyr_agent.builtin_monitors.syslog_monitor",
protocols: "udp:515",
accept_remote_connections: true,
message_log: "nfo.log", //send NFO logs here
parser : "NFO"
}
]

In this example we configured it to monitor UDP port 515, in DataSet to write the logs into a file named nfo.log and we named the parser as NFO

Restart the agent for the change to take effect:

sudo scalyr-agent-2 restart

Configure the Parser

For details, visit (https://app.scalyr.com/parsers).

In the line where the parser is named NFO click on create action and replace the preset parser with this:

{
formats: [
{
format: "${parse=json}$",
rewrites: [
{
input: "time",
output: "timestamp",
match: ".*",
replace: "$0"
}
]
}
]
}

After that save the parser.

note

The example above is for NFO output in JSON format.

Configure NFO Output

In the NFO GUI go to Outputs on the left navigation bar and press the plus sign. Set the following:

Specify Address/Port. If your Agent is installed on NFO machine, you can set the address to localhost, other wise specify the IP address where Agent is installed.