Skip to main content
Sumo Logic

Collect logs for the Twistlock App

This page provides instructions for configuring log collection for the Sumo Logic App for Twistlock. After completing the following tasks, you will have successfully configured log collection for Twistlock:

  • Configure a Sumo Logic syslog source
  • Send Twistlock logs to Sumo Logic

Step 1. Configure a Sumo Logic syslog source

In this step you configure an installed collector with a Syslog source that will act as Syslog server to receive logs and events from Twistlock.

  1. Configure an Installed Collector for each Twistlock Console instance.

  2. Add a Syslog Source to the Installed Collector, and specify the following:

  1. Name. (Required) A name is required.
  2. Description. Optional.
  3. Protocol. UDP or TCP.  Choose the protocol you configured in Twistlock Console for Syslog forwarding.
  4. Port. Port number. Choose the port you configured in Twistlock Console for Syslog forwarding.
  5. Source Category. (Required) Provide a Source Category for this data type.
    For example: prod/twistlock. For more information, see Best Practices.
  6. For Kubernetes customers, we recommend adding a custom field to the Syslog Source so you can reference it in the Sumo Explorer view. Each field contains a key-value pair, where the field name is the key. To add a field click the +Add Field link in the Fields section. You could add a field named cluster where you set the name of the cluster to tag to the logs. For example, cluster = k8s.dev.sumo.sumologic.net.
  1. Click Save

Step 2: Send Twistlock logs to Sumo Logic

This step shows you how to configure Twistlock to send logs to the Sumo Logic syslog source.

  1. Login to the Twistlock console.

  2. Go to Manage > System > Logging.

  3. Enable Syslog.

  4. Enable both options under verbose syslog output.

  5. Edit Send syslog messages over the network to with the syslog endpoint that you configured on Sumo Syslog Source in Step 1 above.

  • Format to specify the endpoint:  <protocol>://<server>:<port>
  • Example:  tcp://192.168.125.200:514

Twistlock_System_Dialog_options.png

Sample Log Message

Console log sample
<142>2019-07-24T14:37:50Z twistlock-console-v5t10 Twistlock-Console[1]: time="2019-07-24T14:37:50.767565936Z" 
type="host_scan" log_type="vulnerability" vulnerability_id="46" description="Image contains vulnerable OS 
packages" cve="ALAS-2019-1222" severity="critical" package="kernel" package_version="4.14.104-95.84.amz
-111.109.amzn2" rule="Default - alert all components" host="ip-192-168-20-21.us-west-1.compute.internal"

<142>2019-07-24T14:37:50Z twistlock-console-v5t10 Twistlock-Console[1]: time="2019-07-24T14:37:50.767806646Z" 
type="scan_summary" log_type="host" hostname="ip-192-168-20-21.us-west-1.compute.internal" vulnerabilities="29" 
compliance="19"
Defender log sample
<142>2019-07-25T08:24:42Z ip-192-168-85-85.us-west-1.compute.internal Twistlock-Defender[18070]: 
time="2019-07-25T08:24:42.947472447Z" type="process" pid="32593" path="/usr/bin/pgrep" interactive="false" 
container_id="12345bd5416a975674fd507666b085e8724176453645b8b337529738dd012345"

<142>2019-07-24T14:38:13Z twistlock-console-v5t10 Twistlock-Console[1]: time="2019-07-24T14:38:13.772137479Z" 
type="container_scan" log_type="container" container_id="123450cc8254018dde3fe860c017802b691495ae430797bd3c24d4b4e7b12345" 
container_name="k8s_twistlock-defender-19-03-345_twistlock-defender-ds-9z824_twistlock_18fd4d74-77e8-11e9-b56a-06003de922ca_0" 
image_name="registry-auth.twistlock.com/tw_blm0yiaqqwvgimnirx1x0iczg9xoslag/twistlock/defender:defender_19_03_345" 
compliance="0"

Query sample

The following query sample is from the Vulnerability Scan Events by Severity panel in the Twistlock - Overview dashboard.

_sourceCategory=*Twistlock* type log_type *scan* vulnerability severity
| parse regex "\s+(?<component>Twistlock-Console|Twistlock-Defender?)\s*.*\s*time=\"" nodrop
| parse "type=\"*\"" as type nodrop | parse "log_type=\"*\"" as log_type nodrop | parse "severity=\"*\"" 
as severity nodrop | parse "description=\"*\"" as description nodrop | parse "rule=\"*\"" as rule nodrop 
| parse "host=\"*\"" as host nodrop | parse "image_id=\"*\"" as image_id nodrop | parse "image_name=\"*\"" 
as image_name nodrop | parse "container_id=\"*\"" as container_id nodrop | parse "container_name=\"*\"" 
as container_name nodrop | parse "cve=\"*\"" as cve nodrop | parse "vendor_status=\"*\"" as vendor_status nodrop | parse "vulnerability_id=\"*\"" as vulnerability_id nodrop
| where type matches "*scan*" and log_type="vulnerability"
| timeslice 1d
| count by _timeslice, severity
| transpose row _timeslice column severity