Docs

connector.conf

Configure Cisco Umbrella audit, DNS, and proxy log collection via DataElicit LogConnector.

CONNECTOR.CONF

connector.conf

Specifications

[auditlogs://<specify_name>]
host = <host-name>, Default is current system hostname
source = <source-name>, Default is connector stanza name
repo = <repository-name>
sourcetype = dataelicit/cisco-umbrella:cisco-umbrella-audit
frequency = <seconds>  Interval to run the input
cron = <cron-expression> 
        Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
        It is preferable to define only one, either cron or frequency.

        Note: Schedule the connector (frequency/cron) in 15 mins to 1 day only. As connector will only check for data that is available today and yesterday. Using values outside preferred timeframe may lead to missing data.

bucket_name = Name of AWS S3 Bucket
dir_name = Folder in S3 where logs are stored
        Note: When using Cisco-managed S3 Bucket, data path is provided like: <AWS S3 bucket>/<directory prefix>
        Ex: cisco-managed-us-west-1 / 2069997_6ff2802af17337def701c2e7816cf14913zf848a
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1


[dnslogs://<specify_name>]
host = <host-name>, Default is current system hostname
source = <source-name>, Default is connector stanza name
repo = <repository-name>
sourcetype = dataelicit/cisco-umbrella:cisco-umbrella-dns
frequency = <seconds>
cron = <cron-expression> 
        Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
        It is preferable to define only one, either cron or frequency.

        Note: Schedule the connector (frequency/cron) in 15 mins to 1 day only.

bucket_name = Name of AWS S3 Bucket
dir_name = Folder in S3 where logs are stored
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1


[proxylogs://<specify_name>]
host = <host-name>, Default is current system hostname
source = <source-name>, Default is connector stanza name
repo = <repository-name>
sourcetype = dataelicit/cisco-umbrella:cisco-umbrella-proxy
frequency = <seconds>
cron = <cron-expression> 
        Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
        It is preferable to define only one, either cron or frequency.

bucket_name = Name of AWS S3 Bucket
dir_name = Folder in S3 where logs are stored
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1

Example

[auditlogs://audit]
sourcetype = dataelicit/cisco-umbrella:cisco-umbrella-audit
frequency = 3600
bucket_name = cisco-managed-ap-northeast-1
dir_name = 7944991_d1d08b738dc27ac3dabda3b204a0c16fab885cd3
global = umbrella
secret = umbrella

[dnslogs://dns]
sourcetype = dataelicit/cisco-umbrella:cisco-umbrella-dns
cron = 0 0 * * *
bucket_name = cisco-managed-ap-northeast-1
dir_name = 7944991_d1d08b738dc27ac3dabda3b204a0c16fab885cd3
global = umbrella
secret = umbrella

[proxylogs://proxy]
sourcetype = dataelicit/cisco-umbrella:cisco-umbrella-proxy
frequency = 3600
bucket_name = cisco-managed-ap-northeast-1
dir_name = 7944991_d1d08b738dc27ac3dabda3b204a0c16fab885cd3
global = umbrella
secret = umbrella

Note

Make sure the stanza name you define in local/connector.conf is not already disabled in default/connector.conf, else it will get skipped.

✉️Still stuck? How can we help?

Updated on July 7, 2025

← Manual global.conf →