SentinelOne protects computers, endpoints, and data with anti-malware and anti-exploit protection. The SentinelOne agent continually receives intelligence updates from SentinelOne servers with a lightweight agent and offers minimal to no impact on your work.
This tutorial demonstrates how to seamlessly send SentinelOne logs to Coralogix. The integration requires sending your logs to an interceptive server and then forwarding them from the server to Coralogix.
STEP 1. On the EC2 server, create a folder to hold all certificates.
sudo mkdir /etc/certificates && cd /etc/certificates
STEP 2. Create your CA certificate. For FQDN, input the server’s public IP address.
openssl genrsa -out RootCA.key 2048 openssl req -x509 -new -nodes -key RootCA.key -sha256 -days 1024 -out RootCA.pem
STEP 3. Create a custom OpenSSL configuration file.
sudo vim custom_ssl.conf
STEP 4. Replace CN and alt_names with your server IP/domain name.
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] CN=<SERVER_IP> [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = <SERVER_IP>
STEP 5. Generate a SentinelOne key & certificate signing request.
openssl genrsa -out SentinelOne.key 2048 openssl req -new -key SentinelOne.key -out SentinelOne.csr -config custom_ssl.conf
STEP 6. Generate SentinelOne certificate based on our own CA certificate.
openssl x509 -req -in SentinelOne.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out SentinelOne.pem -days 1024 -sha256
STEP 7. Add read permissions to all of the certificates.
sudo chmod +r /etc/certificates/*
STEP 8. Create a configuration file for OpenTelemetry, while modifying the following variables.
Variable | Description |
domain | Coralogix Domain associated with your Coralogix account |
private_key | Coralogix Send-Your-Data API key |
message_format | Syslog message format (rfc3164/rfc5424) |
receivers: syslog: tcp: listen_address: "0.0.0.0:514" tls: cert_file: "/etc/certificates/RootCA.pem" key_file: "/etc/certificates/RootCA.key" ca_file: "/etc/certificates/RootCA.pem" protocol: rfc5424 operators: - type: syslog_parser protocol: <**message_format>** parse_from: body parse_to: body - type: remove field: attributes exporters: coralogix: domain: "coralogix.com" private_key: "your private key" application_name: "syslog-application" subsystem_name: "syslog-subsystem" timeout: 30s service: pipelines: logs: receivers: [ syslog ] exporters: [ coralogix ]
STEP 9. Save and run the OpenTelemetry file.
Before proceeding, we recommended contacting SentinelOne to receive the IP addresses, specific to your SentinelOne Account, over which SentinelOne will be sending data, and to provide the relevant permissions to those IPs in your EC2 instance security group. This will ensure the principle of least privilege.
STEP 1. Navigate to the Integrations panel under Settings in the SentinelOne platform.
STEP 2. Save the SYSLOG integration.
Need help?
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].