Skip to main content
Sumo Logic

Collect Logs for CloudPassage Halo App

For the CloudPassage Halo App, we'll use the Halo REST API and AWS Lambda to collect Halo events and forward it to Sumo Logic.  

You need to configure:

  • Two Sumo Logic hosted collectors.
  • Two Lambda functions to call Halo’s REST APIs and forward Halo events to Sumo Logic.

Sumo Logic Collector Configuration:

If this is the first time you are creating an HTTPS collector, review how to create an HTTP source.

Recommended configuration:

Create the collector

  1. Click Manage Data > CollectionAdd Collector.
  2. Click Hosted Collector.
  3. In Add Hosted Collector enter:
    Name. Halo_Lambda_Ingestor.
    Description. Halo Events Collector.
    Category. CP_Halo.

    And click Save.
  4. Click OK to add a source to your collector.
  5. Select HTTP as the source type.
  6. Enter the information as below for Halo Security Events.
    Name. CP_Halo_Workload_Security_Events_Collector.
    Description. Halo Security Events Collector.
    Source Host. CP_Halo.
    Source Category. halo/workload/security/events

  7. Click Save. Be sure to note the endpoint URL provided for this collection. You will need it later.
  8. Create a second source.
  9. Click Hosted Collector.
  10. Select HTTP as the source type.
  11. Enter the information as below for Halo Metric Events.
    Name. CP_Halo_Metrics_Collector.
    Description. Halo key metrics collector.
    Source Host. CP_Halo.
    Source Category. halo/metrics.

  12. When you are done, you should have two collections CP_Halo_Metrics_Collector and  CP_Halo_Workload_Security_Events_Collector set up under a single collector Halo_Lambda_Ingestor.

CloudPassage Halo

Use the official CloudPassage documentation to set up CloudPassage. You will need your CloudPassage login. Follow the instructions on how to create a read-only API key for the app.

AWS Configuration

  • SQS (Simple Queue Service): If this is the first time you are using the SQS, it is strongly recommended to go through Quick start with SQS first.

This queue stores one message at any given time.  It contains “the last time (in Zulu format)” the script ran to collect the events from Halo.  The message is then deleted and new one (with the current time in Zulu format) is added into the queue.

The queue will be automatically created the first time you run the Halo_events_to_SumoLogic Lambda code.

Lambda Functions

If this is the first time you are using the Lambda, it is strongly recommended to go through Quick start with Lambda first.

Recommended configuration

Download the Python code from the two zip file links below.

  • Halo_events_to_SumoLogic.zip - Python Lambda code to collect Halo events and forward them to Sumo Logic. This Python Lambda code would use Halo’s API to collect the security events reported by the agents installed in your workloads.  It takes the “last time” the Lambda code ran from the SQS.  Then initiate API call(s) to request any events that has been reported between the “last time” the Lambda code ran and the current time. It uses the SQS to store the “last time” the event was collected.
  • Halo_metrics_to_SumoLogic.zip - Python Lambda code to collect Halo metrics and forward them to Sumo Logic. This Python Lambda code would use Halo’s API to collect the key stats from your Halo account.   
Configure AWS Lambda for Halo_events_to_SumoLogic

Sample policy: Be sure to use the proper permission level.

  1. Configure Lambda.
     
  2. Click Blank Function.
  3. Click Next.
  4. Fill in Configure Function with:
    Name. halo_events_to_sumologic.
    Runtime. Python 2.7.
  5. Change Code entry Type to Upload a .ZIP file.  And upload the Halo_events_to_SumoLogic.zip file.  Then enter in the environment variables with proper values (refer to the steps above).
  6. Fill in the information to match the screenshot below.  Enter halo_events_to_sumologic.lambda_handler for Handler.  Then select “Create a custom role” for Role.
  7. Fill in the information to match the screenshot below.  Select “Choose a new IAM Role” for IAM Role and lambda_basic_execution for Role Name.
  8. Change the Timeout to 4 minutes under Advanced Settings.
  9. Verify all the information is entered correctly. Then click Create Function to proceed.
  10. Now we need to create an IAM role. Select IAM.
  11. Select lamda_basic_execution role that was created in the previous step.
  12. Select AmazonSQSFullAccess and AWSLambdaBasicExecutionRole for the policies. If you don’t have these policies, refer to the AWS manual and next few steps to create them.
  13. Here is the sample policy for the AmazonSQSFullAccess.  Make sure you change the permission to meet your security requirements.

    Sample policy: Use a proper permission level.  Below is a sample.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
          "sqs:*”
          ],
           "Effect": "Allow",
            "Resource": "*"
           }

         ]

      }

  14. Here is the sample policy for AWSLambdaBasicExecutionRole. Make sure you change the permission to meet your security requirements.
    {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }]
    }
  15. Let’s test the Lambda code.  Click on Test and then Save and test to start the code.

  16. If it is configured properly, it should create the SQS queue for you.  And the outcome should look something similar to below.  Result should show you the time in Zulu format and Log Output should include [create_queue].

  17. If you check the SQS dashboard, you will see the new queue, last_time_scan, has been created for you automatically.
  18. Let's create a trigger for our Lambda code.  I want this code to run every 5 minutes. Select Triggers from the tab.  Then click Add trigger.
  19. Then click on the blank square to bring out the pulldown menu.  Select CloudWatch Events - Schedule.
  20. Fill in the information and make sure you set the Schedule expression as rate(5 minutes).
  21. A successfully configured trigger will have a success message and appear similar to the trigger below.
  22.  You are done for the first Lambda code!  You can follow the same steps to configure Lambda for Halo_metrics_to_SumoLogic.