This page provides instructions for ingesting SentinelOne logs into Sumo Logic. For more information, on SentinelOne please visit the SentinelOne website.
If you have a SentinelOne account, you can view the contents of this article in the SentinelOne Support knowledge base here.
Step 1. Get a token and certificate from Sumo Logic
You can define a SIEM token to add in the message ID of CEFv2 Syslog messages.
To get a token and certificate from Sumo Logic, do the following:
- Log in to the Sumo Logic web site.
Download the crt server certificate file from here.
Go to the location where the cert file is located and open a terminal window.
Run the following command:
wget -O digicert_ca.der https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt openssl x509 -inform der -in digicert_ca.der -out digicert_ca.crt
Step 2. Configure syslog messages
In this step, you configure syslog messages from the Management Console.
To configure syslog messages, do the following:
- In the SentinelOne sidebar, click Scope, and then select a scope.
- In the sidebar, click Settings.
- In the Settings toolbar, click Integrations.
- Click SYSLOG. The SYSLOG dialog appears.
- Click the toggle to Enable SYSLOG.
- Enter the Syslog Host URL and port number.
- Click Use SSL secure connection, then click Server certificate > Upload and browse to the location of the downloaded crt certificate file.
- Specify the following Formatting options:
- Information format: Select CEF2
- SIEM Token: Paste the Cloud Syslog Source Token generated from Sumo Logic.
- Click Test, and then click Save.
In the Sumo Logic Web Application, verify that the logs are being ingested by running a search against the Cloud Syslog source you configured in Step 1. If you don't see any data coming in after 2-3 minutes, check the following:
- that the Sumo Logic Collector has read access to the logs, and
- that your time zone is configured correctly.