Skip to main content
Sumo Logic

Send Data from Sumo Logic to CSE

This page has instructions for configuring Sumo Logic and CSE to enable Sumo Logic to send log messages to CSE,  and CSE to select a mapper to process the messages it receives from Sumo Logic. If this is the first time you are configuring this integration, read the Process overview below to understand what you need to do and why.

Process overview

This section is a short overview of the configuration procedure provided below.

  • Request backend configuration. The first thing you need to do is ask Sumo Logic to enable the integration. Once that is done, you can perform the configuration described in later sections of this topic. This enablement is a one-time process. If you’re already sending Sumo Logic log messages to CSE, the integration is already enabled. Instructions are provided in Step 1: Request backend configuration.
     
  • Configure your Sumo Logic source to send messages to CSE. This is a simple process: you simply click a checkbox on the source configuration page in Sumo Logic. You perform this process for every Sumo Logic source that you want to forward messages to CSE. 

    If all of the sources on a particular collector collect messages that have identical formats, and you want to forward messages from all of those sources to CSE you can configure this behavior at the collector level. 

    Instructions are provided in Step 2: Configure Sumo Logic collector or source to send logs to CSE.
     
  • Configure an ingest mapping in CSE. This is the interesting bit. In a nutshell, you use an ingest mapping to give CSE the information it needs to select a mapper to process the messages that your source will send to CSE. 

    CSE mappers are the components that map parsed message fields to schema attributes.

    CSE needs to know four things about a message in order to select the right mapper: the message format, the product vendor, the product name, and the event ID format.

    CSE Sensors provide this information when they send messages to CSE. For messages that you send from the Sumo Logic platform, you need to configure some or all of that information, depending on the message format. You configure that information on the Sumo Logic Ingest Mapping page in the CSE UI.

    Instructions are provided in Step 3: Configure Sumo Logic Mapping in CSE.

Before you start

When you get to Step 3, when you set up the Sumo Logic ingest mapping for your messages, you need to be prepared with the information described below.

How are your log messages formatted?

You need to know how your messages are formatted. CSE supports messages in the following formats:

  • Unstructured messages with a syslog header
  • Unstructured messages without a syslog header
  • JSON messages without a syslog header
  • JSON messages with a syslog header
  • CEF or LEEF messages with a syslog header
  • CEF or LEEF messages without a syslog header
  • Structured syslog data (key-value pairs) with a syslog header
  • Microsoft Windows event logs in XML format
  • Winlogbeats
  • Messages that have been processed by Sumo Logic Field Extraction Rules.

Determining Product, Vendor, and Event ID pattern

When you fill out the Sumo Logic Ingest Mapping page, for most of the supported message formats, all you need to select a value for Format. However, for the following formats, you also need to tell CSE the Product, Vendor, and Event ID pattern for the messages:

  • JSON messages without a syslog header
  • JSON messages with a syslog header
  • Structured syslog data (key-value pairs) with a syslog header
  • Messages that have been processed by Sumo Logic Field Extraction Rules.

For these formats, CSE uses the values you configure for Product, Vendor, and Event ID pattern (in addition to Format) to select the appropriate CSE mapper to process the messages. To verify the correct values, you can go to the Log Mapping Details page for the mapper in the CSE UI. To do so:

  1. In the CSE UI, click the gear icon, then the Log Mappings link. 
    log-mappings-link.png
  2. The Log Mappings page displays a list of mappers.
    log-mappings-page.png
  3. In the Filters area, you can filter the list of log mappings by typing in a keyword, or by selecting a field to filter by.
    log-mapping-filters.png
  4. When you find the mapper you’re looking for, you can find the Product, Vendor, and Event ID pattern for a mapper on the If Input Matches side of the Input/Output side of the page.
    • Format. This is the value labeled c in the screenshot below.
    • Product. This is the value labeled b in the screenshot below.
    • Vendor. This is the value labeled a in the screenshot below.
    • Event ID pattern. This is the value labeled d in the screenshot below.
      log-mapping-details.png

Quick reference to configuring ingest mappings

This table in this section is a quick reference to supplying values for each supported message format on the Create Sumo Logic Mapping page in CSE. This reference summarizes the step-by-step instructions provided below in Step 3

If your messages are... Select this option for Format Are Vendor, Product, and 
Event ID pattern required?
How CSE picks a mapper
Unstructured logs lines with a syslog header Process Syslog with Valid Header No CSE will send the messages to the mapper whose name is the same as the name of the grok pattern the message matches.
Unstructured log lines without a syslog header Do not Process Syslog Header
No
CSE will send the messages to the mapper whose name is the same as the name of the grok pattern the message matches.
JSON without a syslog header JSON Yes CSE will send the messages to the log mapper with the Format, Vendor, Product, and Event ID pattern you enter in the Sumo Ingest Mapping.
JSON with a syslog header Process Syslog with Valid Header

You’ll be prompted to select whether messages are JSON or key-value pairs. Choose “JSON”.
Yes CSE will send the messages to the log mapper with the Format, Vendor, Product, and Event ID pattern you enter in the Sumo Ingest Mapping.
CEF / LEEF with a syslog header Process Syslog with Valid Header No CSE will send the messages to the log mapper with the Format, Vendor, Product, and Event ID from the CEF/LEEF message.
CEF / LEEF without a syslog header Do not Process Syslog Header No CSE will send the messages to the log mapper with the Format, Vendor, Product, and Event ID from the CEF/LEEF message.
Structured syslog data (KV pairs) with syslog header Process Syslog with Valid Header

You’ll be prompted to select whether messages are JSON or key-value pairs. Choose “Key-Value”. Then supply delimiters.
Yes CSE will send the messages to the log mapper with the Format, Vendor, Product, and Event ID pattern you enter in the Sumo Ingest Mapping.
Microsoft Windows event logs in XML Windows No CSE will send a message to the log mapper whose:
 
Format is “Windows”
Vendor is “Microsoft” 
Product is “Windows” 
Event ID pattern is the value of {channel}-{eventid} from the Windows event, for example, “Security-1234”.
Winlogbeats Winlogbeats No CSE will send a message to the log mapper whose:
 
Format is “Windows”
Vendor is “Microsoft” 
Product is “Windows” 
Event ID pattern is the value of {channel}-{eventid} from the Windows event, for example, “Security-1234”.
Fields extracted from Sumo Logic-ingested messages Extracted Fields JSON Yes CSE will send the messages to the log mapper with the Format, Vendor, Product, and Event ID pattern you enter in the Sumo Ingest Mapping.

Step 1: Request backend configuration

To enable Sumo Logic to forward logs to CSE, some backend configuration is required.  

If you have Premium Support or are currently in a Proof of Value project, contact your Technical Account Manager (TAM) or SE.

Otherwise, submit a ticket on the Sumo Logic Support site. In your support request, select “Cloud SIEM Enterprise” as the subject. Provide your Sumo Logic Org ID and your CSE URL in the body of the request.

Step 2: Configure Sumo Logic collector or source to send logs to CSE

Once Sumo Logic has completed the backend configuration, you can start forwarding logs to CSE. You can configure an individual HTTP source to send the logs it collects to CSE. Alternatively, you can configure log forwarding for a Hosted Collector—in this case, all HTTP sources on the collector will send logs to CSE. 

Configure an HTTP source to send logs to CSE

You can configure an existing HTTP Source to send logs to CSE, or create a new source. For general instructions on creating an HTTP Source, see HTTP Logs and Metrics Source. When you create or update the source:

  • Source Category is required. Make a note of the Source Category assigned to the source. You’ll need it when you perform the CSE side of the configuration.
  • Click the SIEM Processing checkbox. This setting tells Sumo Logic to forward the logs the source collects to CSE.
    siem-processing.-option.png

Configure a Hosted Collector to send logs to CSE

You can configure an existing Hosted Collector to send logs to CSE, or create a new one. For general instructions on creating a Hosted Collector, see Configure a Hosted Collector. When you create or update the source:

  • Category is required. Make a note of the Category you assign to the collector. You’ll need it when you perform the CSE side of the configuration.
  • Click +Add Field and add a field named _siemforward, with a value of “true”. This setting tells the collector to forward the logs collected by HTTP sources on the collector to CSE.

siem-fwd-field.png

Step 3: Configure Sumo Logic Ingest Mapping in CSE

In this step, you configure a Sumo Logic Ingest Mapping in CSE for the source category assigned to your source or collector you configured in Step 2. The mapping tells CSE the information it needs to select the right mapper to process messages that have been tagged with that source category. 

  1. Click the gear icon, and select Sumo Logic under Integrations.
    integrations-sumologic.png
  2. On the Sumo Logic Ingest Mappings page, click Create.
    ingest-mappings.png
  3. On the Create Sumo Logic Mapping popup:
    1. Source Category. Enter the category you assigned to the HTTP Source or Hosted Collector in Step 2
    2. Format. Follow the instructions for the type of messages your source collects:

Unstructured messages with a syslog header

If your messages are unstructured with a syslog header, all you need to do is select “Process Syslog with Valid Header” for Format

CSE applies GROK patterns to unstructured messages to determine which mapper to use, so you don’t need to supply any other configuration options.

create-mapping-1.png

Unstructured messages without a syslog header

If your messages are unstructured without a syslog header, all you need to do is select “Do not Process Syslog Header” for Format

CSE applies GROK patterns to unstructured messages to determine which mapper to use, so you don’t need to supply any other configuration options.

create-mapping-3.png

JSON messages without a syslog header

If your messages are JSON format without a syslog header, there are required and optional configuration settings.

Required settings: Format, Vendor, Product, and Event ID
  1. For Format, select “JSON”. 
  2. You must specify values for Vendor, Product, and Event ID, which CSE will use to determine what mapper to use for your messages. If you don’t know these values, see Determining Product, Vendor, and Event ID pattern, above.
    create-mapping-2.png
Optional settings: Advanced JSON Parsing

If you would like to manipulate the JSON data before it’s flattened and parsed, expand the Advanced JSON Parsing section of the popup.advanced-json-parsing.png

  1. JSON Explode. This option takes a JSON array value (flattened value) and creates multiple copies of the log line, one for each value of the array. You can only apply JSON Explode to one attribute within the JSON. For example, given the following example JSON log:

    { “animals” : { “pets” : [“cat”, “dog”], “owned”: “true”}, “kids”: “none”}


    Setting the JSON Explode to animals.pets results in the creation of two separate raw log lines:

    { “animals” : { “pets” : “dog”, “owned”: “true”}, “kids”: “none”}{ “animals” : { “pets” : “cat”, “owned”: “true”}, “kids”: “none”}

     
  2. JSON Zip Operations. Collapses JSON arrays in which key-value pairs are repeated with a common key identifier and value identifier. For example, given the following JSON array:

    { “pets” : [ {“name” : “fluffy”}, {“type”: “cat”}, {“name”: “fido”, “type” : “dog”}, {“name”: “sammy”, “type” : “snake}]}

    The JSON Zip operation will turn the array into: 

    { “pets” : { “fluffy” : “cat” , “fido” : “dog”, “sammy” : “snake”}}

    The JSON Zip parameters are:
  • Key Name. The name of the attribute whose value is the array to zip.
  • Match Key. The name of the attribute that represents the key in the output. In the example above, it’s name.
  • Match Value. The attribute in the array object that represents the value in the final output. In the example above it’s type.

JSON messages with a syslog header

If your messages are JSON format with a syslog header:

  1. Format. Select “Process Syslog with Valid Header”. 
  2. Syslog Format. Choose “JSON”.
  3. You must specify values for Vendor, Product, and Event ID, which CSE will use to determine what mapper to use for your messages. If you don’t know these values, see Determining Product, Vendor, and Event ID pattern.

    create-mapping-4.png

CEF or LEEF messages with a syslog header

If your messages are CEF or LEEF messages with a syslog header, all you need to do is select “Process Syslog with Valid Header” for Format.

Don’t specify Syslog Format

Don’t specify Vendor, Product, or Event ID. CSE can determine those values from the CEF or LEEF message itself.

create-mapping-1.png

CEF or LEEF messages without a syslog header

If your messages are CEF or LEEF messages without a syslog header, all you need to do is select “Do Not Process Syslog Header” for Format.

Don’t specify Syslog Format

Don’t specify Vendor, Product, or Event ID. CSE can determine those values from the CEF or LEEF message itself.

create-mapping-3.png

Structured syslog data (key-value pairs) with a syslog header

If your messages are structured syslog data (key-value pairs) with a syslog header:

  1. Format. Select “Process Syslog with Valid Header”. 
  2. Syslog Format. Choose “Key-Value”.
  3. The popup refreshes, with options for syslog delimiters.
  4. Syslog Delimiter. This is the delimiter between the key-value pairs.
  5. Syslog kv Delimiter. This is the delimiter between a key and a value.
  6. You must specify values for Vendor, Product, and Event ID, which CSE will use to determine what mapper to use for your messages. If you don’t know these values, see Determining Product, Vendor, and Event ID pattern.

    syslog-delimiters.png

Microsoft Windows event logs in XML format

If your messages are Windows event logs in XML format, all you need to do is select “Windows” for Format.

CSE will determine the appropriate mapper to use from individual events. It will select the mapper whose:

  • Format is “Windows”.
  • Vendor is “Microsoft”.
  • Product is “Windows”.
  • Event ID is the value of {channel}-{eventid}, for example, “Security-1234”.

windows.png

Winlogbeats

If your messages are from Winlogbeats, all you need to do is select “Winlogbeats” for Format.

CSE will determine the appropriate mapper to use from individual events. It will select the mapper whose:

  • Format is “Windows”.
  • Vendor is “Microsoft”.
  • Product is “Windows”.
  • Event ID is the value of {channel}-{eventid}, for example, “Security-1234”.

winlogbeats.png

Fields extracted from Sumo Logic-ingested messages

If the messages with the source category you’ve specified in the mapping have had Sumo Logic Field Extraction Rules applied to them:

  1. Format. Select “Extracted Fields JSON”
  2. You must specify values for Vendor, Product, and Event ID, which CSE will use to determine what mapper to use for your messages. If you don’t know these values, see Determining Product, Vendor, and Event ID pattern.

    extracted-fields-json.png

Step 4: Enable mapping

For CSE to be able to select a mapper for messages from Sumo Logic, a valid ingest mapping must be configured and enabled for the source category associated with incoming messages. 

To enable the mapping you have created, move the Enabled slider to “On”.