# SIEM Log Pull

Cloudbrink's Log Pull feature enables the ability to continuously send logs from the Cloudbrink Admin Portal, into customer hosted SIEM log servers.&#x20;

Cloudbrink provides customers with centralized visibility and management control. Customers can define all their policies from a single cloud-based management console. Similarly, customers can view all the data about their users, endpoints and apps from the single console even though users are accessing all types of apps – SaaS, public/private cloud hosted apps and on-prem datacentre hosted apps.&#x20;

This guide outlines the process for configuring the Log Pull feature to effectively send logs to your preferred SIEM Log Server.&#x20;

#### &#x20;Introduction&#x20;

This document will walkthrough how to configure logs from the Cloudbrink admin portal to be sent to a customers SIEM log server.&#x20;

#### Prerequisites&#x20;

Cloudbrink admin portal access&#x20;

SIEM server deployed&#x20;

Scripting API client to authenticate, then retrieve log messages&#x20;

#### SIEM Log Pull Config&#x20;

1. When logging into the Cloudbrink Admin Portal, navigate to > Configure > System > Log Collectors > New Log Collector.&#x20;
2. Add a new Log Collector by providing a name to the log collector entity, setting TYPE to “Private Hosted” by default, and click "Generate new api-token"

<figure><img src="/files/J8GUyCclyJjk0Vjvm25G" alt=""><figcaption></figcaption></figure>

3. Create a client side script to call the log-retrieve API using the above token. Any scripting language that can call RESTful API's may be utilized.&#x20;
4. Get an access token from the API-Token. Note, each {customer-ORG-code} is unique. If you are unsure what the ORG code is, reach out to <support@cloudbrink.com>.&#x20;

curl --request GET \\&#x20;

\--url '<https://wren.cloudbrink.com/v2/providers/clb/orgs/{customer-ORG-code}/auth/> access-token?valid\_mins=60' \ --header 'Content-Type: application/json' \ --header 'x-cb-api-refresh: BQE6qfEUr9/&#x20;

5. The response to the above request will contain the access-token in the response body&#x20;

"BgGm/dWRFAfv43iPUfJGzaH8QhtLAFR9SKPbe32qGvtXKS1doDkyWVr3uUCVxEBfafprfO44v5kYhBZjaPYWs2JEvOICC8KKeLgbX/upMy9psvvwFb2PdNkwl5yB9qhQ3sjJseam1bW0fDpifMd8jpOrf4/TPKZLKkY9u/m7rvI5ejR4Icw+KEsO72hoV7TBBsPXAI1qDeU7rp8NgwunECxfSzCtc9vzmGVYV1gHxaKajRHDvVcBwwsQDF1yTOm2HWyAvuES69/ FzTEZYHLpBH17AR3jkxsjuKJJk1HYI6XdLSPn1YdBy4A/1uInRQeYwCIaJilYrAa06TwfguZYOQ9SBx4gCZho+vosHlBoDJVDFzlwzexcjMfal1f+NTRkPvxPOZh8hTilxm1Z0oFnOyKV5tkk105AzFUVKKqT5NZiFxkumCS6sPGrb9+X5ivZzBNtBgpsmvNNEmlmX7hFr4PYvVqfo+Br/u1wQOKXuFs+DoZdUQRjVkEf0mzcZgsR0XA3SzoPSyajCOy6RMc="&#x20;

6. Retrieve log data using the above access token.&#x20;

curl --request GET \\&#x20;

\--url '<https://wren.cloudbrink.com/apis/siem-proxy/v1.0/providers/CLB/orgs/{customer-ORG-code}/logs?cont\\_token=640bdb3a70e11bda24c8c95e\\&limit=1000>' \\&#x20;

\--header 'Authorization: BgGm/dWRFAfv43iPUfJGzaH8QhtLAFR9SKPbe32qGvtXKS1doDkyWVr3uUCVxEBfafprfO44v5kYhBZjaPYWs2JEvOICC8KKeLgbX/ upMy9psvvwFb2PdNkwl5yB9qhQ3sjJseam1bW0fDpifMd8jpOrf4/TPKZLKkY9u/ m7rvI5ejR4Icw+KEsO72hoV7TBBsPXAI1qDeU7rp8NgwunECxfSzCtc9vzmGVYV1gHxaKajRHDvVcBwwsQDF1yTOm2HWyAvuES69/FzTEZYHLpBH17AR3jkxsjuKJJk1HYI6XdLSPn1YdBy4A/1uInRQeYwCIaJilYrAa06TwfguZYOQ9SBx4gCZho+vosHlBoDJVDFzlwzexcjMfal1f+NTRkPvxPOZh8hTilxm1Z0oFnOyKV5tkk105AzFUVKKqT5NZiFxkumCS6sPGrb9+X5ivZzBNtBgpsmvNNEmlmX7hFr4PYvVqfo+Br/ u1wQOKXuFs+DoZdUQRjVkEf0mzcZgsR0XA3SzoPSyajCOy6RMc=' \\&#x20;

\--header 'accept: application/json'

\
7\.   The response body to the above request contains the log data from Cloudbrink&#x20;

\[&#x20;

{&#x20;

"log\_level": "AUDIT",&#x20;

"message": "Access Token validation successful",&#x20;

"message\_timestamp": "2023-03-11T01:37:11.129Z"&#x20;

},&#x20;

{&#x20;

"log\_level": "AUDIT",&#x20;

"message": "Access Token validation successful",&#x20;

"message\_timestamp": "2023-03-11T01:37:36.361Z"&#x20;

}&#x20;

]

8. When the access-token expires, the API-token can be used as per step-1 and get the new access-token. Repeat steps to regenerate the token.&#x20;
9. Note: Customers can delete an existing API-token client from the management portal. Once deleted, any existing scripts using the API-client token will stop receiving the responses&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudbrink.com/configuration/siem-log-pull.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.