An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the
ILLUMIO_CORE ingestion label.
Create a log group
In the Policy Console Engine (PCE) web console menu, go to Settings > Event settings.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Collect Illumio Core logs\n=========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document describes how you can collect the Illumio Core logs by using a Google Security Operations forwarder.\n\nFor more information, see [Data ingestion to Google SecOps](/chronicle/docs/data-ingestion-flow).\n\nAn ingestion label identifies the parser which normalizes raw log data to structured\nUDM format. The information in this document applies to the parser with the\n`ILLUMIO_CORE` ingestion label.\n\nCreate a log group\n------------------\n\n1. In the **Policy Console Engine (PCE)** web console menu, go to **Settings \\\u003e Event settings**.\n2. Click **Add** . The **Event settings -- add event forwarding** window appears.\n3. Click **Add repository**.\n4. In the **Add repository** dialog that appears, do the following:\n\n 1. In the **Description** field, enter a name for the syslog server.\n 2. In the **Address** field, enter the IP address of the syslog server.\n 3. In the **Protocol** list, select **UDP** or **TCP** as a protocol.\n 4. In the **Port** field, enter the port number for the syslog server.\n 5. In the **TLS** list, select **Disabled**.\n 6. Click **Ok**\n5. In the **Events** dialog that appears, choose the events you want to send to your syslog server.\n\n6. Configure the event forwarding repository to specify the required events for forwarding.\n\n7. Enable all options in **Auditable events** and **Traffic events**.\n\n8. Click **Save**.\n\n | **Note:** TLS is not supported for this onboarding.\n\nConfigure the Google SecOps forwarder to ingest Illumio Core logs\n-----------------------------------------------------------------\n\n1. In the Google SecOps menu, select **Settings \\\u003e Forwarders \\\u003e Add new forwarder**.\n2. In the **Forwarder name** field, enter a unique name for the forwarder.\n3. Click **Submit** . The forwarder is added and the **Add collector configuration** window appears.\n4. In the **Collector name** field, enter a unique name for the collector.\n5. In the **Log type** field, specify `Illumio Core`.\n6. Select **Syslog** as the **Collector type**.\n7. Configure the following input parameters:\n - **Protocol**: specify the connection protocol that the collector uses to listen to syslog data.\n - **Address**: specify the target IP address or hostname where the collector resides and listens to syslog data.\n - **Port**: specify the target port where the collector resides and listens to syslog data.\n8. Click **Submit**.\n\nFor more information about the Google SecOps forwarders, see [Manage forwarder configurations through the Google SecOps UI](/chronicle/docs/install/forwarder-management-configurations).\n\nIf you encounter issues when you create forwarders, contact [Google SecOps support](https://console.cloud.google.com/support)."]]
