Skip to main content
Sumo Logic

Collect logs for the Slack App

This pages shows you how to configure log collection for the Slack App, as well as providing a sample log message and query example.

This page explains how to collect logs from Slack and ingest them into Sumo Logic for use with the Slack App predefined dashboards and searches.

Collection overview

Sumo Logic enables you to collect logs from Slack via the Slack API. You can then configure various log types to collect. The logs are then forwarded to a Sumo Logic HTTP Source. By default the collection starts from the current date and time, but this can be configurable. Please see the Advanced Configuration section for more details. Configuring log collection for the Slack App includes the following tasks:

  • Step 1: Create a Sumo Logic  app in Slack
  • Step 2: Add a Hosted Collector and HTTP Source
  • Step 3: Configure collection for Slack

Step 1: Create a Sumo Logic app in Slack

To generate a Slack App token, do the following:

  1. Go to Apps page.
  2. Click Create New App.


  1.  Enter the App Name and select the Development Slack Workspace for which you need to generate a token and collect logs.


  1. Click Create App.
  2. In the Basic Information section for the app created above, click Permissions.


  1. In the Scopes section, add the following permissions to collect logs, and then click Save. Logs will be collected based on these permissions:


Log Collected

Slack Plan


Audit Logs

Enterprise Only


Public Message Logs



Public Channel Logs



Users Logs



Team name in all logs.



  1. Go to Install App and click Install App to Workspace.


The app prompts you for permission to install based on your selected permission.

  1. Click Allow to install the app to workspace.


  1. Copy the generated token. You will need to use this token when configuring the Slack collector.


Step 2: Add a Hosted Collector and HTTP Source

This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs source, to collect logs for Slack.

Identify an existing Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task

To add a hosted collector and HTTP source, do the following:

  1. Create a new Sumo Logic Hosted Collector by performing the steps in Configure a Hosted Collector.

  2. Create a new HTTP Log Source in the hosted collector created above by following these instructions.

Step 3: Configure collection for Slack

This section covers the various ways in which to collect logs from Slack and send them to Sumo Logic. The logs are then shown in dashboards as part of the Slack App. You can configure a Sumo Logic collector for Slack in Amazon Web Services (AWS) using AWS Lambda service, or use a script on a Linux machine with a cron job. Choose the method that is best suited for your environment:

  • AWS Lambda based collection via a via a Serverless Application Model (SAM) application
  • Script based collection

Sumo Logic Slack SAM application

In this collection method, you deploy the SAM application, which creates the necessary  resources in your AWS account.

To deploy the Sumo Logic Slack SAM application, do the following:

  1. Go to

  2. Search for sumologic-slack and make sure  the checkbox next to the text Show apps that create custom IAM roles or resource policies is selected, then click the app link when it appears.


  1. When the page for the Sumo app appears, click Deploy.


  1. In the AWS Lambda > Functions > Application Settings panel, enter the following parameters in the corresponding text fields:

  • HTTPLogsEndpoint: Copy and paste the URL for the HTTP log source from Step 2.
  • Token: Copy and paste the Authorization token from Step 1.


  1. Click Deploy.

Configuring collection for multiple Slack Workspaces

This section shows you how to configure collection for multiple projects assuming you are already collecting Atlas data for one project. This task requires that you do the following:

  • Stop the collection of OrgEvents in the second SAM app deployment, because these events are global and are already captured by first collector.
  • Change the DBNAME so that state (keys) maintained (bookkeeping) in the database (key value store) are not in conflict.

To configure collection for multiple projects, do the following: 

  1. Deploy the SAM application with configuration for new project.

  2. After the deployment is complete, change the database name by adding environment variable (DBNAME) in AWS Lambda.


Sumo Logic Slack Script based collection

This section provides instructions for deploying script based collection for the Sumo Logic Slack App.


  • You must have successfully added a Hosted Collector and HTTP source and copied configuration parameter (token) from Slack, as described in Step 1 and Step 2.
  • You must be logged in to the user account with which you will install the collector. If you are not, use this command to switch to that account: 
    sudo su <user_name>

Configure the script on a Linux machine

This task shows you how to install the script on a Linux machine.

To deploy the script, do the following:

  1. If pip is not already installed, follow the instructions in the pip documentation to download and install pip

  2. Log in to a Linux machine (compatible with either Python 3.7 or Python 2.7. 

  3. Do one of the following:

For Python 2, run the following command: pip install sumologic-slack

For Python 3, run the following command: pip3 install sumologic-slack 

  1. Create a configuration file slackcollector.yaml in the home directory as shown in the following example and specify the parameters where indicated.

 TOKEN: <Paste Slack authorization token>
 HTTP_LOGS_ENDPOINT: "<Paste the URL for HTTP log sourc from Sumo Logic collector>"
  1. Create a cron job  to run the collector every 5 minutes, (use the crontab -e option). Do one of the following:

For Python 2, add the following line to your crontab: 
*/5 * * * *  /usr/bin/python -m sumoslack.main > /dev/null 2>&1

For Python 3, add the following line to your crontab: 
*/5 * * * *  /usr/bin/python3 -m sumoslack.main > /dev/null 2>&1

Configuring collection for multiple projects 

This section shows you how to configure collection for multiple projects assuming you are already collecting Atlas data for one project. This task requires that you do the following:

To configure collection for multiple projects, do the following:

  1. After configuring the script on a Linux machine, go to your configuration file.
  2. Change the DB_NAME in the slackcollector.yaml file, as indicated in the following example.
 TOKEN: <Paste Slack authorization token>

 HTTP_LOGS_ENDPOINT: "<Paste the URL for HTTP log sourc from Sumo Logic collector>"


Advanced Configuration

This section is common for both AWS Lambda based collection and script based collection

The following table provides a list of variables for Slack that you can optionally define in the configuration file.

Variable Usage

LOG_TYPES in Slack Section

Remove any one of the lines if you do not want to collect that metric.







# Below are different types of audit logs that can be sent. Remove if not required


 - workspace_created

 - workspace_deleted

 - workspace_accepted_migration

 - workspace_declined_migration

 - migration_scheduled

 - organization_created

 - organization_deleted

 - organization_accepted_migration

 - organization_declined_migration

 - pref.sso_setting_changed

 - pref.two_factor_auth_changed

 - pref.public_channel_retention_changed

 - pref.private_channel_retention_changed

 - pref.dm_retention_changed

 - pref.file_retention_changed

 - pref.retention_override_changed

 - billing_address_added

 - emoji_added

 - emoji_removed

 - emoji_aliased

 - emoji_renamed

 - manual_export_started

 - manual_export_completed

 - corporate_exports_approved

 - corporate_exports_enabled

 - scheduled_export_started

 - scheduled_export_completed


 - role_change_to_owner

 - role_change_to_admin

 - role_change_to_user

 - role_change_to_guest

 - owner_transferred

 - user_created

 - user_deactivated

 - user_reactivated

 - guest_created

 - guest_deactivated

 - guest_reactivated

 - guest_expiration_set

 - guest_expired

 - guest_expiration_cleared

 - user_login

 - user_logout

 - custom_tos_accepted


 - user_channel_join

 - user_channel_leave

 - guest_channel_join

 - guest_channel_leave

 - public_channel_created

 - private_channel_created

 - public_channel_archive

 - private_channel_archive

 - public_channel_unarchive

 - private_channel_unarchive

 - public_channel_deleted

 - private_channel_deleted


 - app_approved

 - app_installed

 - app_scopes_expanded

 - app_resources_added


 - file_downloaded

 - file_uploaded

 - file_public_link_created

 - file_public_link_revoked

 - file_shared

BACKFILL_DAYS in Collection Section Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.
LOG_FORMAT in Logging Section Log format used by the python logging module to write logs in a file.
ENABLE_LOGFILE in Logging Section Set to TRUE to write all logs and errors to a log file.
ENABLE_CONSOLE_LOG in Logging Section Enables printing logs in a console.
LOG_FILEPATH in Logging Section Path of the log file used when ENABLE_LOGFILE is set to TRUE.
NUM_WORKERS in Collection Section Number of threads to spawn for API calls.
MAX_RETRY in Collection Section Number of retries to attempt in case of request failure.
BACKOFF_FACTOR in Collection Section A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.
TIMEOUT in Collection Section Request time out used by the requests library.
HTTP_LOGS_ENDPOINT in SumoLogic section HTTP source endpoint url created in Sumo Logic for ingesting Logs.


This section shows you how to run the function manually and then verify that log messages are being sent from Slack.

To run the function manually, do the following:

  1. Enter  one of the following commands:
  • For Python 2, use this command: python -m sumoslack.main
  • For Python 3, use this command: python3 -m sumoslack.main
  1. Check the automatically generated logs in  /tmp/sumoapiclient.log to verify whether the function is getting triggered or not.
  2. If you get an OAuth Error: team_not_authorized error when you try to add scopes to your slack app, remove auditlogs:read scope from the app.

Log types

Slack logs are in JSON format. The Slack App utilizes the following log types 5 types.

The availability of all types of logs is determined by the slack plans

Log Type

Free plan

Standard plan

Free plan

Enterprise plan

User logs

Public Channel logs

Public Message logs

Access logs


Audit logs


Sample log messages

The following table provides sample log messages for the different log types.

Log Type Sample log message
User logs


  "id": "UM27LNGHK",

  "name": "test",

  "deleted": false,

  "real_name": "test",

  "tz": "Asia/Kolkata",

  "tz_label": "India Standard Time",

  "is_admin": false,

  "is_owner": false,

  "is_primary_owner": false,

  "is_restricted": false,

  "is_ultra_restricted": false,

  "is_bot": false,

  "is_app_user": false,

  "updated": 1565005724,

  "has_2fa": false,

  "teamName": "TestSlack",

  "email": "",

  "billable": true,

  "logType": "UserLog"


Public Channel logs


  "channel_id": "CKN1D8010",

  "channel_name": "testchannel",

  "members": 2,

  "logType": "ChannelDetail",

  "teamName": "TestSlack"


Public Message logs


  "type": "message",

  "text": "Test",

  "files": [


      "name": "Test",

      "fileType": "epub",

      "fileSize": 1258,

      "urlPrivate": "",

      "urlPrivateDownload": "",

      "permalink": ""



  "attachments": [


      "id": 16,

      "text": "Test",

      "author_name": "",

      "author_link": "",

      "pretext": "",

      "fallback": "Messages Sent"



  "upload": true,

  "user": "e65b0bd8",

  "display_as_bot": false,

  "ts": "1566215592",

  "client_msg_id": "23849274-580c-4644-9478-8328e5716b89",

  "userName": "roy",

  "channelId": "e65b0d0e",

  "channelName": "app-for-slack",

  "teamName": "TestSlack",

  "logType": "ConversationLog"


Access logs


  "user_id": "e65b0476",

  "username": "dave",

  "date_first": 1566215532,

  "date_last": 1566215532,

  "count": 2,

  "ip": "",

  "user_agent": "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36",

  "isp": "Inetbroadband",

  "country": "PA",

  "region": "EU",

  "teamName": "TestSlack",

  "logType": "AccessLog"


Audit logs


  "logType": "UserAuditLog",

  "id": "bdcb13e3-28a3-41f0-9ace-a20952def3a0",

  "date_create": 1566215192,

  "action": "user_created",

  "actor": {

    "type": "user",

    "user": {

      "id": "e65b0f5c",

      "name": "roy",

      "email": ""



  "entity": {

    "id": "e65b107e",

    "privacy": "public",

    "name": "BigCo ISP",

    "is_shared": false,

    "is_org_shared": false,

    "filetype": "text/csv",

    "title": "john",

    "is_distributed": false,

    "is_directory_approved": false,

    "scopes": [
















  "context": {

    "location": {

      "type": "workspace",

      "id": "e65b11aa",

      "name": "Docker",

      "domain": "Docker"


    "ua": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0",

    "ip_address": ""


  "details": {

    "id": "USLACKUSER",

    "name": "himanshu",

    "email": ""



Query example

The sample query is from Channel Summary panel of Slack - Public Channels dashboard.

| join ("logType":"channelDetail"
| json "channel_name", "channel_id", "teamName", "members" as Channel, ChannelId, Workspace, Members
| withtime Members
| most_recent(Members_withtime) as Members by Channel, ChannelId, Workspace) as T1,("logType":"ConversationLog" | json "user", "userName", "type", "subtype", "ts", "text", "channelId", "channelName", "teamName" as ID, User, Type, SubType, Time, Text, ChannelId, Channel, Workspace nodrop
| count_distinct(Time) as Messages by ID, ChannelId, Workspace) as T2 on T1.ChannelId = T2.ChannelId and T1.Workspace=T2.Workspace
| T2_Workspace as Workspace | T2_ID as User| T1_Channel as Channel
| where Workspace matches {{Workspace}} and Channel matches {{Channel}}
| T1_Members as %"Team Members"
| fields Workspace, Channel, User, %"Team Members" ,T2_Messages
| where [subquery:"logType":"UserLog"
| json "id", "name", "deleted", "is_bot", "teamName" as User, Name, Deleted, Bot, Workspace nodrop
| where Bot matches "false" and !(Name matches "slackbot") and Deleted matches "false"
| withtime Name
| most_recent(Name_withtime) as Name by User, Workspace
| compose User, Workspace]
| sum(T2_Messages) as %"Total Messages", count_distinct(User) as %"Members Posted Messages" by Workspace, Channel, %"Team Members"
| fields Workspace, Channel, %"Team Members", %"Total Messages", %"Members Posted Messages"
| sort by %"Total Messages"
| limit 20