Sumologic Integration for Logs
Summary – InsightFinder can source the log data from Sumologic, detect anomalous log entries, and correlate it with other data to generate anomalies and root causes. Below documentation is a walk through of how to configure Sumologic and InsightFinder integration.
Assumption here is that you already have a Sumo Logic account. You also have a sumo logic agent running on required servers collecting required data.
Project Creation :-
- Go to “Settings”->“System Settings”. Click on “Add New Project”.
- Select “Sumo Logic” from the list and click on “Create Project” on the next page.
- This is where you will start configuring the project.
- Deployment, Access Id, Access key and Filter query.
- Click on “Verify” and you will be taken to the next page if verification is successful. This is where you have the option to configure a Historical date range, if needed.
- Then on the next page, you can type in the “Project Name” and “System Name” and click on Register. You can also define detection keywords and Incident labels.
- Detection keywords/regular expressions are used to detect which log entries will produce allowlist alerts.
- Incident labels/regex are used to identify which log entries indicate incidents.
- Once a project is successfully created, you will see a message like below.
- You are all set to start seeing Sumo logic data into InsightFinder.
Project Configuration :-
Information needed –
- Sumo Logic account access key for authentication. To get it, you need to login to a sumologic account and go to the “Administration” section on the left bottom. Click on “Security” there and you will be presented with the screen where you need to select the “Access key” tab. To generate a new key, click on “Add Access key” on the top right.