Skip to main content
Sumo Logic

Collect Events for Box

This procedure documents how to collect logs from Box into Sumo Logic.

Log Types

The Sumo Logic App for Box collects Box events, which are described in detail in the Box documentation.


Before you can collect events for the Sumo Logic App for Box, you must have a co-admin Box user with Run new reports and access existing reports privileges. 

The following files are required:

Deploy the packages, edit sumojanus-2.0/conf/, and authenticate Box. For more information, see Collect Events for the Box App.

Configure Logging in Box

Before you can deploy the scripts to production, you must first deploy the packages and authenticate Box.

Deploy the Packages

To perform this step, you will need an internet-connected computer with a web browser.

If you have not previously set up the SumoJanus package

  1. Copy the two package files you downloaded to the same folder, then unzip them there.
    1. On Linux, run the following commands:

      tar xzvf sumojanus-2.0.tar.gz
      tar xzvf sumojanus-2.0-box.tar.gz

    2. On Windows, use a third-party tool to unzip the package.
  2. These will create a folder called sumojanus-2.0 with all the files from both packages.

If you have previously set up the SumoJanus package

  1. Back up conf/
  2. Copy the file sumojanus-2.0-box.tar.gz to the parent folder where SumoJanus is currently installed.
  3. From there, unzip the file sumojanus-2.0-box.tar.gz using the following command:

    tar xzvf sumojanus-2.0-box.tar.gz

  4. This will copy the files from the Box package to the sumojanus-2.0 folder.

Edit the Properties file

  1. Open the sumojanus-2.0/conf/ file in a text editor and add the following lines:

    token_path = ${path}/data/box_enc.token
    stream_pos_path = ${path}/data/box_stream_position.dat
    # optional, default is admin event
    #event_type = admin
    # optional, encrypt token file or not. Default is false
    encrypt_token_file = true
    # Optional, Overwrite default encryption key
    # encryption_key =
    # optional, startTime to query for Event Log files, in epoch milliseconds, optional, default is 2 days back.
    #startTime = 1435709058000
    # optional, endTime to query for Event Log files, in epoch milliseconds
    #endTime = 1436377600000
  2. Replace the ${path} variable with the actual path on the server where sumojanus-2.0 is installed. This is usually /sumojanus/sumojanus-2.0/.
  3. Save your changes.

Authenticate Box

As part of authentication, the script will open and listen to port 8080. It will also create a token file under the sumojanus-2.0/data folder. Before you begin, make sure the local firewall settings and file permissions allow these operations.

  1. If you are currently logged in to your Box account, log out.
  2. From the sumojanus-2.0 folder, run:
    • For Linux: bin/SumoJanus_Box.bash -s
    • For Windows: bin\SumoJanus_Box.bat -s
  3. If Box presents a Disabled by Administrator message, follow the steps below to grant access to the Sumo app, and then re-run the script.
    1. Log in to Box and select Admin Console at the top of the screen.
    2. Go to Enterprise Settings or Business Settings and click on Apps.
    3. In the Custom Applications section, choose Authorize New App.authorize-new-app.jpg 
    4. In the App Authorization window, enter the Client ID for the Sumo app, nzjjxne0gqax07n4u5idwj7i8ravboqv, in the API Key field, and click Next.
    5. On the next page, in the Report and Settings row, checkmark the “Run new reports and access existing reports” option, and save your changes.
    6. Repeat Step 2 (re-run the script).
  4. The script opens the browser. Log in to Box and click Authorize.
  5. (Optional) The Unpublished Applications setting on the Apps tab should show that the Sumo app is no longer disabled.
  6. Once Authorized, the app will be enabled within your Developer enterprise.
  7. To grant access to all requested permissions, click Grant access to Box.box_grant_access_566x376.png
  8. Once permissions are granted, the script saves the access token into a local file, as shown. Verify that the file is actually created. If not, you may need to repeat the authentication steps. box_token_620x35.png

    The path to this token file is configured in the file config/, under the property token_path.

  9. Test the script manually before you deploy it to production. To do so, go to the sumojanus-2.0 folder and run the following command:


Production Deployment

If you have not previously set up the SumoJanus package

Copy the whole sumojanus-2.0 folder to your production system where you set up the Sumo Logic Local Collector. We recommend putting this folder under the Collector folder.

Make sure the Local Collector has write permission to this folder, as the script will need to write locally on a regular basis.

If you have previously set up the SumoJanus package

If you are using SumoJanus 2.0 on the target box as part of another script collection, Salesforce for example, the folder sumojanus-2.0 already exists on your system. Do the following:

  1. Back up the file conf/
  2. Copy only the configuration section of conf/ to the target box. (This is the section you edited earlier.)
  3. Unzip only the bundle package sumojanus-2.0-box.tar.gz to the sumojanus-2.0 folder.
  4. Copy the token file just generated to sumojanus-2.0/data.
  5. Test the script manually. To do so, go to the sumojanus-2.0 folder and run the following command:


Configure a Collector

Configure an Installed Collector. Linux and Windows, with Java Runtime Environments, are supported.

Configure a Source

  1. Configure a Script Source.
  2. Configure the Source fields:
    1. Name. (Required) BoxCollector. (Description is optional.)
    2. Source Category. (Required) box
    3. Frequency (Required) Every 5 Minutes
    4. Specify a timeout for your command: Active the checkbox and select 60 Minutes
    5. Command (Required) /bin/bash (specify the correct path on your system)
    6. Script (Required) Use the path to sumojanus-2.0 that you created in the Production Deployment step, such as /home/ubuntu/sumojanus-2.0/bin/SumoJanus_Box.bash. (Do not select “Type the script to execute.”)
    7. Working Directory. /home/ubuntu/sumojanus-2.0
  3. Click Save.

Sample Log Messages

   "source": {
      "type": "user",
      "id": "225980941",
      "name": "First Last",
      "login": ""
   "created_by": {
      "type": "user",
      "id": "225980941",
      "name": "First Last",
      "login": ""
   "created_at": "2016-12-15T11:08:58-08:00",
   "event_id": "7988d00a-aca3-4454-9021-652477f4fa78",
   "event_type": "LOGIN",
   "ip_address": "",
   "type": "event",
   "session_id": null,
   "additional_details": null

   "source": {
      "type": "user",
      "id": "262207389",
      "name": "user",
      "login": ""
   "created_by": {
      "type": "user",
      "id": "225980941",
      "name": "first last",
      "login": ""
   "created_at": "2016-12-14T16:09:33-08:00",
   "event_id": "d82f1946-2c51-43fe-bfcc-3452f9e2f6ff",
   "event_type": "DELETE_USER",
   "ip_address": "",
   "type": "event",
   "session_id": null,
   "additional_details": null

Query Sample

Top 10 Failed Logins

_sourceCategory=box  type "event_type" login
| json "created_at","ip_address","event_type","","created_by.login" as messagetime,src_ip,event_type, src_user,src_login nodrop
| json "","source.login","source.type"  as dest_user,dest_login, item_type nodrop
| where event_type="FAILED_LOGIN" 
| count as EventCount by src_user,src_login,src_ip | top 10 src_user,src_login,src_ip by EventCount