Sumo Logic Configuration Guide

This guide walks you through creating a Sumo Logic access token and secret, an HTTP Source, and gathering the configuration needed to create a Sumo Logic SIEM integration.

Create a Sumo Logic Access Key

1. Log in to Sumo Logic

The account used must have at least the 'Create Access Keys' and 'Manage Collectors' role to accomplish these instructions.

2. Create the Access ID and Key

Follow the Sumo Logic documentation for creating Access Keys.

Once your key is created, make sure to save both the Access ID and Access Key to a safe location before clicking 'Done'.

Configure Sumo Logic to receive data

3. Define a new HTTP Log Source

Follow the Sumo Logic documentation for configuring a new HTTP Logs and Metrics Source.

Choose HTTP Logs & Metrics as your source type.

Make sure the Forward to SIEM checkbox is checked.

Leave the Fields/Metadata empty

In the Advanced options for Logs make sure both the 'Extract timestamp information from log file entries' and 'Multiline Processing' options are checked with automatic detection.

Leave the Processing Rules at their defaults.

Copy down the 'HTTP Source Address' after saving your new Source. This is your Sumo Logic Collection URL.

Configure the Integration

Create your integration by supplying all of the required and any desired optional values.

URL The root API Endpoint URL for your Sumo Logic deployment without any paths. See the Sumo Logic documentation for help finding the correct API Endpoint URL. For example, https://api.sumologic.com (without "/api/")

Credential Username This is the Access ID gathered in step 2

Credential Secret This is the Access Key gathered in step 2

Collection URL Secret This is the HTTP Source Address gathered in step 3

Auto Parse Logs (Optional) This tells Sumo Logic to automatically parse logs sent as JSON, extracting the fields. Default is true.