July 27, 2020
Video conferencing usage, especially on Zoom, has exploded in the last few months, and companies small and large are using it extensively to enable and connect their now mostly-remote employees. And, as with any other critical technology, especially when interconnecting infrastructure, it’s important that administrators get real-time visibility and insights into it, such as:
Zoom can be configured to send account activity logs out via Webhooks. On the LogStream side, we can receive those calls via our native HTTPS Source. To set this up, go to Data > Sources and select HTTPS. Assign this Source a name and provide a port number, e.g., 7003. Make sure that this port is reachable externally, or at a minimum, from Zoom’s IP addresses.
Leave the Auth Token field here empty for now, or enter a fictional one – we’ll come back and edit it after we complete Step 2.
Next, enable TLS, and provide your key and certs as necessary. If you don’t have a cert/key, then you can create and use a self-signed one. E.g.:
openssl req -nodes -new -x509 -newkey rsa:2048 -keyout myKey.pem -out myCert.pem -days 420
To set up Zoom to send data, go to marketplace.zoom.us and log in to your account. Find Develop at the upper right and click Build App.
Next, select Webhook Only and click Create.
Name your app. Then fill in the Basic Information and Developer Contact Information required on the next form, and click Continue.
Next, on the Add Feature page, enable Event Subscriptions and a new subscription – in our example, we’re calling it Zoom Events to LogStream. In the Event notification endpoint URL, enter the destination URL that Zoom will send events to. This is the LogStream HTTPS Source address from above, in https://<logstream-hostname-or-ip>:7003/cribl/_bulk form. Next, click the Add events button and subscribe to your desired Webhook Events. In our case, we subscribed to all. Then click Save.
Finally, click Activation to activate the Webhook Only App.
Navigate into the Feature tab, copy the Verification Token string, and use this to update the LogStream HTTPS Source we created above. This token verifies that the event notifications that you receive are originating from Zoom.
We should now be connected. To capture live data in LogStream, navigate to our Source, click on the Live button, and then on Live Data. If there is current Zoom activity, the capture should show something like this:
Now that data is flowing in, we can create an Output Router that sends this data to three destinations. Output Routers are found under Data > Destinations, and they allow for output selection based on rules. Rules are evaluated in order, top‑>down, with the first match being the winner.
To clone data, all we need to do is set the Final flag to No. For example, the Output Router below, called zoomRouter, is configured to forward all incoming data to three outputs: a Splunk Destination called localSplunk, an Azure Logs Destination called sentinel-monitor-logs, and finally to an Amazon S3 Destination called zoomLogs. (Each of these Destinations is configured individually, and here they’re just referenced.)
To engage the Output Router, we create a Route called Zoom Data Route that targets specifically our Zoom data, using a Filter on the Source we created above:
Since we don’t need any processing, we use a passthru Pipeline. And as an Output, we select the Output Router we just created above.
That’s it – done!
With a wide support for a large number of Sources and protocols, LogStream enables you to receive your video conferencing logs and forward them to your security and operational analytical stores reliably, at scale, and without any custom code.
If you have any questions or feedback, join our community Slack – we’d love to help you out. If you’re looking to join a fast-paced, innovative team, drop us a line at email@example.com – we’re hiring!