Skip to main content
Sumo Logic

Collect logs for Netskope

This page provides instructions for configuring log collection for the Sumo Logic App for Netskope.

To collect logs from the Netskope platform, if you are not using the Sumo Logic FedRamp deployment, use the new Cloud to Cloud Integration for Netskope to create the source and use the same source category while installing the app.

Collection Overview (DEPRECATED)

Sumo Logic provides a collector agent that pulls logs from Netskope with API calls. You can configure the list of events and alerts to be collected, but by default all events and alerts are collected.

The events and alerts are forwarded to the Sumo Logic HTTP endpoint in JSON format. The configuration from a yaml file, which is stored in the home directory, is used. By default the collection starts from last 7 days, but this setting is configurable.

The Netskope App has the following components:

  • Application Usage: Insights into application usage; specifically by devices, users, users and traffic patterns.
  • Security Alerts: Visibility into Netskope security alerts and violations and the ability to identify effects of a breach.  

Step 1: Adding a Hosted Collector and HTTP Source (DEPRECATED)

This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect events for Netskope


Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.

To add a hosted collector and HTTP source, do the following:

  1. To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

  2. Add an  HTTP Logs and Metrics Source.

  3. In Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:

  • Specify Format as epoch
  • Specify Timestamp locator as \"timestamp\": (.*),


  1. Click Add.

Step 2: Getting a token from the Netskope Portal (DEPRECATED)

Netskope REST APIs use an auth token to make authorized calls to the API. This section demonstrates how to obtain a token from the Netskope user interface (UI).

To obtain a Netskope auth token, do the following:

  1. Login to Netskope as the Tenant Admin.
  2. Go to the API portion of the Netskope, Settings > Tools > Rest API.
  3. Copy the existing token to your clipboard, or you can generate a new token and copy that token.

Configuring a Sumo Logic Netskope collector (DEPRECATED)

This section provides walkthrough instructions that demonstrate how to configure a Sumo Logic Netskope collector.

To create a Sumo Logic Netskope collector, do the following:

  1. Login to a Linux machine.
  2. Install the collector using the following command. 
pip install sumologic-netskope-collector
  1. Download the netskope.yaml configuration file and place in the home directory.  
  2. Edit the netskope.yaml file in the following way:
    1. Replace <SUMO HTTP SOURCE ENDPOINT> with the Sumo Logic HTTPS Source endpoint you created in Step 1.
    2. Replace <Netskope API Token> with the Netskope API token you created in Step 2.
    3. Replace <Netskope Domain> with your Netskope domain name.

      Example of an edited netskope.yaml file: 
 TOKEN: "ExampleTokenGxrtwdshciB7gHR7efDQbZPW"

  1. Create a cron job  to run the collector every 5 minutes, (use the crontab -e option) and add the following line:
*/5 * * * *  /usr/bin/python -m sumonetskopecollector.netskope > /dev/null 2>&1

Updating the Sumo Logic Netskope collector (DEPRECATED)

Sumo Logic periodically makes changes to the collector. To make sure your collector is up-to-date, perform the following tasks on each machine running the collector: 

  • Check the latest version of the Netskope collector on this page:
  • Check the version of the collector you have installed by running the following command:  pip show sumologic-netskope-collector
  • If you are not running the latest collector, do the following:
  1. Disable your cron job.
  2. Stop all existing collector processes.
  3. Run the following command to upgrade your collector: pip install sumologic-netskope-collector --upgrade
  4. Enable the cron job.

Advanced Configuration (DEPRECATED)

The following table explains the configuration file parameters and their usage.

Parameter Usage


List of events to fetch from Netskope:

  • page
  • application
  • audit
  • infrastructure


List of alerts to fetch from Netskope:

  • Malware
  • Malsite
  • Compromised Credential
  • Anomaly
  • DLP
  • Watchlist
  • Quarantine
  • Policy


Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.


Number of events to fetch in a single API call


Log format used by the python logging module to write logs in a file


Set to TRUE to write all logs and errors to a log file


Enables printing logs in a console


Path of the log file used when ENABLE_LOGFILE is set to TRUE


Number of threads to spawn for API calls


Number of retries to attempt in case of request failure


A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.


Request time out used by the requests library


API Token used for API calls authentication


HTTP source endpoint url created in Sumo Logic

Sample log message

           "dstip": "",
           "dst_location": "Mountain View",
           "app": "Google Gmail",
           "_insertion_epoch_timestamp": 1547391690,
           "site": "Google Gmail",
           "src_location": "Pomerol",
           "organization_unit": "",
           "object_type": "Mail",
           "id": 3764,
           "app_session_id": 4252577042,
           "category": "Webmail",
           "dst_region": "California",
           "userkey": "",
           "dst_country": "US",
           "src_zipcode": "33500",
           "ur_normalized": "",
           "type": "nspolicy",
           "object": "Welcome Novak Dimitrov",
           "srcip": "",
           "dst_latitude": 37.405991,
           "timestamp": 1547400222,
           "src_region": "Gironde",
           "dst_longitude": -122.078514,
           "alert": "no",
           "to_user": ",",
           "user": "",
           "from_user": "",
           "device": "Windows PC",
           "org": "",
           "src_country": "FR",
           "traffic_type": "CloudApp",
           "dst_zipcode": "N/A",
           "count": 2,
           "src_latitude": 44.9333,
           "url": "",
           "page_id": 2641483218,
           "sv": "unknown",
           "ccl": "excellent",
           "cci": 92,
           "activity": "Send",
           "userip": "",
           "src_longitude": -0.2,
           "_id": "5df996d5b66a9ea963e812ce",
           "os": "Windows 8",
           "browser": "Internet Explorer",
           "appcategory": "Webmail"

Query sample 

The following query sample was is from the Total Sessions panel of the Application Overview Dashboard.

_sourceCategory="netskope_events" "no" "nspolicy"
| json "_id", "alert", "type", "srcip", "dstip", "appcategory", "app", "os", "user", "device", 
"acked", "site", "timestamp", "ccl", "activity", "browser", "object", "object_type", "from_user", 
"to_user", "app_session_id" as alert_id, is_alert, type, src_ip, dest_ip, appcategory, app, os, 
user, device, acked, site, timestamp, ccl, activity, browser, object, object_type, from_user, 
to_user, app_session_id  nodrop
| where is_alert="no" and type="nspolicy"
| count by app_session_id
| count