Skip to main content
Sumo Logic

Collect Observable Network Logs

The Sumo Logic App for Observable Networks allows you to monitor your Observable Networks deployment from Sumo Logic. The apps’ Overview dashboard provides insight into high-level data about your network.

From Sumo Logic, you may also set up forwarding for log monitoring and authentication logs to Observable Networks. With log monitoring, Observable Networks can notify you when it detects that a collector is missing, exposing gaps in your log coverage. Authentication log forwarding allows for more accurate and detailed alerts, using Sumo Logic log data to provide extra richness to Observable's Dynamic Endpoint Modeling algorithms.

Observable Networks is a provider of network security technology and advanced threat detection services that identify compromised and misused networked devices. Observable's Dynamic Endpoint Modeling technology includes a cloud-based service platform incorporating automated security analytics and real-time traffic sensors to continuously model all devices on a network. Endpoint modeling is based on network traffic flow metadata and is indifferent to encryption. Observable makes it easy to readily understand normal and abnormal device behaviors, helping to identify compromised devices and facilitate faster remediation.

For more information, please visit

Log Types

The Sumo Logic App for Observable Networks assumes Observable Networks formatted logs, which provide one JSON message per request.


From your Observable Networks portal, click Settings (gear icon) > Integrations > Sumo Logic > Settings and enter the Access ID, Access Key, and Source URL on the Sumo Logic Settings page. Before you begin, your Observable Networks portal must be properly configured. Contact if you have any questions.

Configure a Collector

Configure a Hosted Collector. Name the collector "observable" (case-sensitive).

Create an access key

  1. In Sumo Logic, go to Manage Data > Collection > Collection.
  2. Click Access Keys.
  3. Add a new access key called Observable Networks, then save the new Access ID and Access Key values.

Configure a Source

Configure an HTTP Source. Name the new source "observable" (case-sensitive). Deselect the check box Enable Timestamp Parsing.

When the URL associated with the Source is displayed, copy the URL so you can use it to send files.

Configure the Observable Portal

  1. From your Observable Networks portal, click Settings (gear icon) > Integrations > Sumo Logic > Settings.
  2. On the Sumo Logic Settings page, enter the Access ID, Access Key, and Source URL from the previous sections.
  3. Check Enabled, then click Save.

Your Observable Networks deployment will now publish alert and endpoint information to Sumo Logic.

Configure Log Monitoring (optional)

If you have Sumo Logic API access, you can integrate Observable Networks and Sumo Logic even further. You can configure Observable Networks to identify devices on your network that do not have Collectors installed. Additionally, Observable Networks can parse authentication log ("auth.log") data from certain Linux distributions (e.g., Ubuntu) to monitor user access.

Identify Missing Collectors

You can configure the Observable Networks portal to expect certain roles in the network to have corresponding log files. For example, you might expect a Terminal Server to capture an auth.log. When you configure this expectation, Observable will alert when a role is missing an expected log file, notifying you that there is a gap in your log coverage.

To configure an expectation in Observable Networks

  1. From your Observable Networks portal, click Settings (gear icon) > Integrations > Sumo Logic > Logs.
  2. Enter the name for the expected log, such as Auth Log.
  3. Enter the Log Query Prefix, which is the search prefix given to Sumo Logic to filter for this log. For example, _source=auth.log.
  4. Select the roles that are expected to have this log. For example, Terminal Server.
  5. Click Save.

You can also add a log without associating any roles. In this case, simply leave all roles deselected in Step 4.

Parse Authentication Logs

If you are collecting auth.log data in Sumo Logic from a compatible Linux distribution, you can configure Observable Networks to parse this data and monitor session activity.

Before you begin, make sure that you are collecting from an auth.log source, and make sure that it is configured on the Sumo Logic Logs page.

To parse authentication logs

  1. From your Observable Networks portal, click Settings (gear icon) > Integrations > Sumo Logic > Settings.
  2. From the Auth.log drop-down, select the log configuration that represents the auth.log source.
  3. Click Save.

Sample Log Messages

   "id": 350698,
   "source_info": {
      "ips": [
      "hostnames": [
      "namespace": "awsv2:078653657564:us-east-1:vpc-c837e7ac",
      "name": "i-0da95a1534cafcae8",
      "created": "2017-01-21T14:43:53.267268+00:00"
   "timestamp": "2017-02-05T08:00:00Z",
   "role": "AWS EC2 Instance",
   "source": 97385,
   "obsrvbl_type": "role"
   "id": 349848,
   "source_info": {
      "ips": [
      "hostnames": [
      "namespace": "awsv2:078653657564:us-east-1",
      "name": "yodlee-staging",
      "created": "2016-09-06T22:23:22.937360+00:00"
   "timestamp": "2017-02-05T08:00:00Z",
   "role": "AWS EC2 Instance",
   "source": 236,
   "obsrvbl_type": "role"

Query Samples

Recent Flow Counts

_sourceCategory=observable | json field=_raw "obsrvbl_type", "effective_session_count" as type, session_count
| where type="session_count"
| timeslice 10m
| sum(session_count) group by _timeslice
| order by _timeslice

Top Observation Host

| json field=_raw "obsrvbl_type", "" as type, name
| where type = "observation"
| count by name
| order by _count desc