Skip to main content
Sumo Logic

Collecting Logs for SentinelOne

This page provides instructions for ingesting SentinelOne logs into Sumo Logic.

This page provides instructions for ingesting SentinelOne logs into Sumo Logic. For more information, on SentinelOne please visit the SentinelOne website.

If you have a SentinelOne account, you can view the contents of this article in the SentinelOne Support knowledge base here.

Step 1. Get a token and certificate from Sumo Logic

You can define a SIEM token to add in the message ID of CEFv2 Syslog messages.

To get a token and certificate from Sumo Logic, do the following:

  1. Log in to the Sumo Logic web site.
  2. Configure a Cloud Syslog Hosted Collector and Cloud Syslog Source, and generate a Cloud Syslog source token

  3. Download the crt server certificate file from here.

  4. Go to the location where the cert file is located and open a terminal window.

  5. Run the following command:

wget -O digicert_ca.der https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt openssl x509 -inform der -in digicert_ca.der -out digicert_ca.crt

Step 2. Configure syslog messages

In this step, you configure syslog messages from the Management Console.

To configure syslog messages, do the following:

  1. In the SentinelOne sidebar, click Scope, and then select a scope.
  1. In the sidebar, click Settings.
  2. In the Settings toolbar, click Integrations.

SentinelOne_Integrations_option.png

  1. Click SYSLOG. The SYSLOG dialog appears.
  2. Click the toggle to Enable SYSLOG.
  3. Enter the Syslog Host URL and port number.
  4. Click Use SSL secure connection, then click Server certificate > Upload and browse to the location of the downloaded crt certificate file.
  5. Specify the following Formatting options:
  • Information format: Select CEF2
  • SIEM Token: Paste the Cloud Syslog Source Token generated from Sumo Logic.

SentinelOne_SYSLOG_dialog.png 

  1. Click Test, and then click Save.
  2. In the Sumo Logic Web Application, verify that the logs are being ingested by running a search against the Cloud Syslog source you configured in Step 1. If you don't see any data coming in after 2-3 minutes, check the following:

  • that the Sumo Logic Collector has read access to the logs, and
  • that your time zone is configured correctly.